The global cybersecurity landscape has been increasingly troubled in recent years. Through the pandemic, criminals took advantage of misaligned networks as businesses moved to remote work environments. Generally available statistics show that in 2020 malware attacks grew by more than 350% globally over 2019, with a further increase of 125% in 2021, and a continuing upward trend in 2022. Since the beginning of the Russia-Ukraine war, Russian-based phishing attacks against emails of European and US-based businesses have increased eight-fold, and cyber threats have also increased in many other ways.
Ransomware attacks are continuing to pose a serious threat to individuals and organisations, with advanced attack methods forcing pay-outs from victims. In the first half of 2022, more than 230 million attacks have been reported worldwide. Ireland has also shown its vulnerabilities with the major attack on the HSE in 2021 highlighting the issue for many people. Malware attacks grew by over 400% in Ireland in the first full year of the pandemic, and have continued at very high levels.
A recent study, published by Microsoft and Vodafone, found the average small/medium Irish business lost €8,500 in cyberattacks in the last three years, adding up to a total of €2.3 billion. Of those who experienced a breach, 43% said they had been attacked up to five times in that period.
Leading global organisations, including the World Economic Forum, have warned that cyber security risks will have a major impact on businesses and countries globally over the coming years. Directly and/or indirectly, cybersecurity threats are likely to have an impact on us all.
A substantial majority of companies are still not reporting that they receive and deal with cyber attacks. Investors, regulators and the informed public are aware that companies will regularly be fending off cyber attacks of varying degrees of sophistication and success. Almost half of the UK FTSE 100 companies report an increase in cyber attacks attributed to the pandemic, the move to remote/ hybrid working, and geopolitical tensions.
With board oversight of technological capability, opportunity and risk critical to company success, regulators are increasingly focused on how companies report cyber risk and breaches in security. It is important for companies to tell the full story. Earlier this year, regulators published the following:
In September, Deloitte published ‘Cyber risk and governance reporting in the UK: Improvement required!’.
Digital Security Risk Disclosure
The FRC Lab report is accompanied by a separate summary of findings and a report containing a risk disclosure example for a bank. The main report is designed to be of use to reporting and risk teams who are involved in corporate reporting, and for audit committees who review the resultant disclosures.
When determining which disclosures to provide, consideration needs to be given to the needs of investors and stakeholders for information of sufficient quality and reliability that takes account of materiality and the potential sensitivity of information. Companies may consider disclosures that:
The FRC Lab report outlines a wide range of disclosure recommendations, under the headings of strategy, risk, governance and events. It concludes with guidance on what audit committees should consider to determine if a company’s disclosures clearly communicate sufficient information to meet stakeholder needs.
SEC – Cybersecurity Disclosures
The SEC has issued a proposed rule that would require registrants to provide enhanced disclosures about ‘cybersecurity incidents and cybersecurity risk management, strategy and governance’.
The proposed rule addresses concerns related to the pervasive use of digital technologies, shift to hybrid work environments, rise in the use of crypto assets, and increase in illicit profits from ransomware and stolen data, which continue to escalate cybersecurity risk and its related cost to registrants and investors.
Costs and consequences of a cybersecurity incident may include remediation expenses, lost revenues, litigation, increased insurance premiums, reputational damage, and erosion of shareholder value.
In 2011 and 2018, the SEC issued interpretive guidance that did not create any new disclosure obligations but rather presented the SEC’s views on how its existing rules should be interpreted in connection with cybersecurity threats and incidents.
The proposed rule would establish new requirements related to:
All types of periodic SEC filers would be affected by the proposed rule, including domestic registrants, foreign private issuers, smaller reporting companies, and emerging growth companies.
Of particular importance may be having clear protocols for escalating incidents, drafting the notifications, and obtaining the necessary approvals which can make the difference between (1) meeting tight notification deadlines and gaining credibility with the applicable regulator, and (2) missing the deadline and starting off having to explain to the regulator why the notification was late, which can undermine the regulator’s view of the overall competence of the response.
Corporate Reporting – Improvement Required
Our report ‘Cyber risk and governance reporting in the UK: Improvement required!’ is based on company disclosures across the FTSE 100.
The review of annual reports shows:
The report sets out a number of observations and insights under the following headings:
The report provides links to a number of illustrative examples of cyber risk and governance disclosure from the survey of FTSE 100 annual reports. These include the annual report of Weir Group PLC which clearly disclosed a cybersecurity incident that took place during the year and included the steps taken to remediate the incident.
The appendices to the report also include a summary of the key features of both the SEC proposed rule change and the FRC Lab report.
The report also makes reference to the findings of the report 'Digital frontier: a technology deficit in the boardroom'. The Deloitte Global Boardroom Program reports the findings of a survey covering more than 500 directors and C-suite executives and conversations with leaders, directors, and subject matter specialists to find out what’s being done in boardrooms around the world when it comes to technology.
The survey found that fewer than half of executives and board members surveyed believe their board is providing enough oversight of technology matters. Meanwhile, 44% of executives said that their board directors lack the knowledge they need to provide effective stewardship over technology strategy.
Conclusion
Investment in technology can transform performance and support companies in protecting against the risks of cyber attacks. Companies need to reasonably assess whether they have the experience and expertise necessary to deal with these risks, to understand where any gaps are, and to determine where they may need to engage with external advice and assistance.
Strong disclosure of risks and mitigating features both explains the opportunities and explores the changes in risk profile, helping investors to form a view on whether a company is doing enough to manage its risk and embrace opportunity.
Irish/ UK GAAP & Related Developments
IAASA highlights matters for companies to consider when preparing their 2022 financial statements
IAASA publication: Climate-related disclosures in financial reports – IAASA information requests
FRC publishes findings on the quality of corporate reporting in 2021/2022
FRC Lab publishes report on net zero disclosures
FRC publishes report on board diversity
IFRS & Related Developments
IASB finalises amendments to IAS 1 regarding the classification of debt with covenants
European common enforcement priorities for 2022 annual financial reports
IOSCO and IVSC sign statement of cooperation
Legal & Regulatory Matters
IESBA - The Ukraine Conflict: Key Ethics and Independence Considerations
Publications
IFRS Model Financial Statements 2022
Corporate governance reporting highlights — areas for future focus
Governance in focus — On the board agenda 2022
Our annual review of board topics will stimulate your thinking and help prepare you for the year ahead. Across the board, expectations of business are rising and it is this demanding environment which shapes the articles in this year’s publication.
Welcome to our one-stop guide covering the issues relevant to the preparation of December 2021 annual reports.
Annual Report Insights 2021 - Surveying FTSE Reporting
Surveying FTSE reporting. Our yearly survey scours the annual reports of 100 listed UK companies and provides insight and inspiration ahead of the next reporting season.
IFRS Model Financial Statements 2022
The Model for 2022 illustrates the presentation and disclosure requirements of IFRS Standards and also contains ‘best practice’ examples.
IFRS in your pocket is a comprehensive summary of the current IFRS Standards and Interpretations along with details of the projects on the standard-setting agenda of the International Accounting Standards Board.
Our IFRS e-learning platform allows external users to complete over 40 of Deloitte’s IFRS e-learnings free of charge with 6 million+ uses in recent years.
Understanding the differences between U.S. GAAP and IFRS Standards
A comprehensive 380-page publication focusing on some of the most common and significant differences that may affect financial statements when converting from U.S. GAAP to IFRS Standards and vice versa. Updated to 2022.
Corporate governance reporting highlights - areas for future focus
Key messages and expectations for further improvements in corporate governance reporting and examples of better disclosure.
IFRS Foundation Trustees' sustainability reporting initiative
Summary of continuing developments.
Highlights some of the key accounting and disclosure issues to be considered by entities that may arise as a result of COVID-19 in preparing financial statements.