{"id":23569,"date":"2019-05-12T18:30:05","date_gmt":"2019-05-12T22:30:05","guid":{"rendered":"http:\/\/www.riacanada.ca\/?p=23569"},"modified":"2019-08-28T11:46:38","modified_gmt":"2019-08-28T15:46:38","slug":"phishing-for-better-cyber-risk-disclosure","status":"publish","type":"post","link":"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/","title":{"rendered":"Phishing for Better Cyber Risk Disclosure"},"content":{"rendered":"<p>Yahoo!, Equifax and Sony have all been affected by an increasingly common event: large data breaches that harmed their reputation and caused them to lose the trust of their customers.<\/p>\n<p>As external attacks like these happen more frequently, investors need to understand the data security practices of the companies they invest in. They need to be confident that companies are mitigating related risks and are prepared to respond to a breach quickly and effectively.<\/p>\n<h2>Going Above and Beyond<\/h2>\n<p>The Sustainability Accounting Standards Board (SASB) <a href=\"http:\/\/library.sasb.org\/wp-content\/uploads\/2017\/11\/StateofDisclosure17-Report-EXCERPT-112117.pdf?hsCtaTracking=5ebf0298-a0c8-48aa-b7c2-52c5097a4faf%7C5ab56db9-d670-49c5-9bc8-d8b5127f1eac\" target=\"_blank\" rel=\"noopener\">defines \u201cdata security\u201d<\/a> as \u201ctechnologies, processes, and practices that companies employ to protect networks, computers, programs, digital products, and data from external attacks, damage, or unauthorized access.\u201d Thus, \u201cdata security\u201d and \u201ccyber security\u201d can be used interchangeably in this context.<\/p>\n<p>According to the <a href=\"https:\/\/www.pwc.com\/us\/en\/advisory-services\/publications\/consumer-intelligence-series\/protect-me\/cis-protect-me-findings.pdf\" target=\"_blank\" rel=\"noopener\">2017 PwC US Protect.me survey<\/a>, 92% of consumers agree that companies must be proactive about data protection and 60% say the responsibility of protecting data rests with companies \u2014 not governments. Furthermore, they expect companies to go beyond legal requirements. In light of these concerns, PwC suggests companies put cyber\u00a0security and privacy at the forefront of their business strategy to retain customers\u2019 trust.<\/p>\n<h2>Cause and Effect<\/h2>\n<p>A <a href=\"https:\/\/public.dhe.ibm.com\/common\/ssi\/ecm\/se\/en\/sel03130wwen\/security-ibm-security-services-se-research-report-sel03130wwen-20180122.pdf\" target=\"_blank\" rel=\"noopener\">Ponemon Institute and IBM Security study<\/a> of 419 companies in 13 countries found that data breaches are mainly caused by malicious or criminal attacks (47%), a human error (28%), or a system glitch (25%). Astoundingly, they found that the total cost of a data breach averages $3.62 million.<\/p>\n<p>In 2017, the Canadian Securities Administrators (CSA) <a href=\"https:\/\/www.osc.gov.on.ca\/documents\/en\/Securities-Category5\/20170119_51-347_disclosure-cyber-security.pdf\" target=\"_blank\" rel=\"noopener\">reviewed<\/a> 240\u00a0S&amp;P\/TSX Composite Index companies\u2019 annual filings. They noted that the following potential impacts of a cyber\u00a0security incident were frequently identified by a variety of issuers across different industries:<\/p>\n<ul>\n<li>Compromised confidential customer or employee information;<\/li>\n<li>Unauthorized access to proprietary or sensitive information;<\/li>\n<li>Destruction or corruption of data;<\/li>\n<li>Lost revenues due to a disruption of activities, incurring of remediation costs;<\/li>\n<li>Litigation, fines and liability for failure to comply with privacy and information security laws;<\/li>\n<li>Regulatory investigations and heightened regulatory scrutiny;<\/li>\n<li>Higher insurance premiums;<\/li>\n<li>Reputational harm affecting customer and investor confidence;<\/li>\n<li>Diminished competitive advantage and negative impacts on future opportunities;<\/li>\n<li>Effectiveness of internal control over financial reporting.<\/li>\n<\/ul>\n<h2>Business Case for Cyber Risk Disclosure<\/h2>\n<p>Investors looking to assess if a company is protected against data breaches would typically look to company disclosure regarding cyber risks, potential impacts, as well as governance and risk mitigation. However, companies do not disclose this information consistently and completely. In the same review, the CSA found that only 61% of the companies addressed cyber\u00a0security issues in some capacity in their disclosure of risk factors.<\/p>\n<p>These findings can be extrapolated to companies outside of Canada. The PRI recently published a <a href=\"https:\/\/www.unpri.org\/governance-issues\/stepping-up-governance-on-cyber-security-what-is-corporate-disclosure-telling-investors\/3452.article\" target=\"_blank\" rel=\"noopener\">report<\/a> which summarized a review of 100 companies\u2019 public disclosure on cyber governance and risk management. The research sample included companies in a variety of sectors from Europe, the US, Australia and Asia. The report states that \u201cWhile companies generally perceived cyber\u00a0security as a key organizational risk, very few communicated that they have policies, governance structures and processes that were effective at tackling cyber threats.\u201d \u00a0The report is an excellent tool for investors looking to engage with companies regarding cyber risk. For each key question the research covered, investor relevance is explained and good practices for companies are outlined.<\/p>\n<p>Cyber\u00a0security incidents have the potential to materially impact a company. Investors need to engage with companies to request more comprehensive disclosure regarding cyber risk governance and risk management practices. Hopefully in the future companies will improve corporate disclosure regarding data security. In the meantime, investors can use the PRI report as a guide in their stewardship efforts.<\/p>\n<p><strong>Sources:<\/strong><\/p>\n<ul>\n<li>The Sustainability Accounting Standards Board. \u201cThe State of Disclosure 2017\u201d (2017).<\/li>\n<li>PwC. \u201cConsumer Intelligence Series: Protect.me\u201d (2017).<\/li>\n<li>IBM Security and Ponemon Institute. \u201c2017 Cost of Data Breach Study\u201d (2017).<\/li>\n<li>Canadian Securities Administrators. \u201cCSA Multilateral Staff Notice 51-347 Disclosure of cyber security risks and incidents\u201d (2017).<\/li>\n<li>Principles for Responsible Investing. \u201cStepping Up Governance on Cyber Security: What is Corporate Disclosure Telling Investors?\u201d (2018).<\/li>\n<\/ul>\n<h5>Disclaimer<br \/>\nThe views and opinions expressed in this article are solely those of the authors and do not necessarily reflect the view or position of the Responsible Investment Association (RIA). The RIA does not endorse, recommend, or guarantee any of the claims made by the authors. This article is intended as general information and not investment advice. We recommend consulting with a qualified advisor or investment professional prior to making any investment or investment-related decision.<\/h5>\n","protected":false},"excerpt":{"rendered":"<p>Yahoo!, Equifax and Sony have all been affected by an increasingly common event: large data breaches that harmed their reputation and caused them to lose the trust of their customers. As external attacks like these happen more frequently, investors need to understand the data security practices of the companies they invest in. They need to [&hellip;]<\/p>\n","protected":false},"author":7472,"featured_media":24499,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Phishing for Better Cyber Risk Disclosure - Responsible Investment Association<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Phishing for Better Cyber Risk Disclosure - Responsible Investment Association\" \/>\n<meta property=\"og:description\" content=\"Yahoo!, Equifax and Sony have all been affected by an increasingly common event: large data breaches that harmed their reputation and caused them to lose the trust of their customers. As external attacks like these happen more frequently, investors need to understand the data security practices of the companies they invest in. They need to [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/\" \/>\n<meta property=\"og:site_name\" content=\"Responsible Investment Association\" \/>\n<meta property=\"article:published_time\" content=\"2019-05-12T22:30:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-08-28T15:46:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riacanada.ca\/wordpress\/content\/uploads\/2018\/10\/ai-artificial-intelligence-board-326461.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"4656\" \/>\n\t<meta property=\"og:image:height\" content=\"3084\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Editor\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Editor\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/\",\"url\":\"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/\",\"name\":\"Phishing for Better Cyber Risk Disclosure - Responsible Investment Association\",\"isPartOf\":{\"@id\":\"https:\/\/www.riacanada.ca\/wordpress\/#website\"},\"datePublished\":\"2019-05-12T22:30:05+00:00\",\"dateModified\":\"2019-08-28T15:46:38+00:00\",\"author\":{\"@id\":\"https:\/\/www.riacanada.ca\/wordpress\/#\/schema\/person\/f2be4012fcff4c43224b4fb6b60e81d4\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.riacanada.ca\/wordpress\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Phishing for Better Cyber Risk Disclosure\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riacanada.ca\/wordpress\/#website\",\"url\":\"https:\/\/www.riacanada.ca\/wordpress\/\",\"name\":\"Responsible Investment Association\",\"description\":\"Canada&#039;s membership network for responsible investment\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riacanada.ca\/wordpress\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riacanada.ca\/wordpress\/#\/schema\/person\/f2be4012fcff4c43224b4fb6b60e81d4\",\"name\":\"Editor\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riacanada.ca\/wordpress\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3bf09c69911f589161408f2ea70f5b5e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3bf09c69911f589161408f2ea70f5b5e?s=96&d=mm&r=g\",\"caption\":\"Editor\"},\"url\":\"https:\/\/www.riacanada.ca\/wordpress\/magazine\/author\/ria-editor\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Phishing for Better Cyber Risk Disclosure - Responsible Investment Association","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/","og_locale":"en_US","og_type":"article","og_title":"Phishing for Better Cyber Risk Disclosure - Responsible Investment Association","og_description":"Yahoo!, Equifax and Sony have all been affected by an increasingly common event: large data breaches that harmed their reputation and caused them to lose the trust of their customers. As external attacks like these happen more frequently, investors need to understand the data security practices of the companies they invest in. They need to [&hellip;]","og_url":"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/","og_site_name":"Responsible Investment Association","article_published_time":"2019-05-12T22:30:05+00:00","article_modified_time":"2019-08-28T15:46:38+00:00","og_image":[{"width":4656,"height":3084,"url":"https:\/\/www.riacanada.ca\/wordpress\/content\/uploads\/2018\/10\/ai-artificial-intelligence-board-326461.jpg","type":"image\/jpeg"}],"author":"Editor","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Editor","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/","url":"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/","name":"Phishing for Better Cyber Risk Disclosure - Responsible Investment Association","isPartOf":{"@id":"https:\/\/www.riacanada.ca\/wordpress\/#website"},"datePublished":"2019-05-12T22:30:05+00:00","dateModified":"2019-08-28T15:46:38+00:00","author":{"@id":"https:\/\/www.riacanada.ca\/wordpress\/#\/schema\/person\/f2be4012fcff4c43224b4fb6b60e81d4"},"breadcrumb":{"@id":"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.riacanada.ca\/wordpress\/magazine\/phishing-for-better-cyber-risk-disclosure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.riacanada.ca\/wordpress\/"},{"@type":"ListItem","position":2,"name":"Phishing for Better Cyber Risk Disclosure"}]},{"@type":"WebSite","@id":"https:\/\/www.riacanada.ca\/wordpress\/#website","url":"https:\/\/www.riacanada.ca\/wordpress\/","name":"Responsible Investment Association","description":"Canada&#039;s membership network for responsible investment","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riacanada.ca\/wordpress\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.riacanada.ca\/wordpress\/#\/schema\/person\/f2be4012fcff4c43224b4fb6b60e81d4","name":"Editor","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riacanada.ca\/wordpress\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/3bf09c69911f589161408f2ea70f5b5e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3bf09c69911f589161408f2ea70f5b5e?s=96&d=mm&r=g","caption":"Editor"},"url":"https:\/\/www.riacanada.ca\/wordpress\/magazine\/author\/ria-editor\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riacanada.ca\/wordpress\/wp-json\/wp\/v2\/posts\/23569"}],"collection":[{"href":"https:\/\/www.riacanada.ca\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riacanada.ca\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riacanada.ca\/wordpress\/wp-json\/wp\/v2\/users\/7472"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riacanada.ca\/wordpress\/wp-json\/wp\/v2\/comments?post=23569"}],"version-history":[{"count":12,"href":"https:\/\/www.riacanada.ca\/wordpress\/wp-json\/wp\/v2\/posts\/23569\/revisions"}],"predecessor-version":[{"id":36428,"href":"https:\/\/www.riacanada.ca\/wordpress\/wp-json\/wp\/v2\/posts\/23569\/revisions\/36428"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riacanada.ca\/wordpress\/wp-json\/wp\/v2\/media\/24499"}],"wp:attachment":[{"href":"https:\/\/www.riacanada.ca\/wordpress\/wp-json\/wp\/v2\/media?parent=23569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}