Skip to main content

Cybersecurity risk and corporate reporting

Financial Reporting Brief: November 2022

The global cybersecurity landscape has been increasingly troubled in recent years. Through the pandemic, criminals took advantage of misaligned networks as businesses moved to remote work environments. Generally available statistics show that in 2020 malware attacks grew by more than 350% globally over 2019, with a further increase of 125% in 2021, and a continuing upward trend in 2022. Since the beginning of the Russia-Ukraine war, Russian-based phishing attacks against emails of European and US-based businesses have increased eight-fold, and cyber threats have also increased in many other ways.

Ransomware attacks are continuing to pose a serious threat to individuals and organisations, with advanced attack methods forcing pay-outs from victims. In the first half of 2022, more than 230 million attacks have been reported worldwide. Ireland has also shown its vulnerabilities with the major attack on the HSE in 2021 highlighting the issue for many people. Malware attacks grew by over 400% in Ireland in the first full year of the pandemic, and have continued at very high levels.

A recent study, published by Microsoft and Vodafone, found the average small/medium Irish business lost €8,500 in cyberattacks in the last three years, adding up to a total of €2.3 billion. Of those who experienced a breach, 43% said they had been attacked up to five times in that period.

Leading global organisations, including the World Economic Forum, have warned that cyber security risks will have a major impact on businesses and countries globally over the coming years. Directly and/or indirectly, cybersecurity threats are likely to have an impact on us all.

A substantial majority of companies are still not reporting that they receive and deal with cyber attacks. Investors, regulators and the informed public are aware that companies will regularly be fending off cyber attacks of varying degrees of sophistication and success. Almost half of the UK FTSE 100 companies report an increase in cyber attacks attributed to the pandemic, the move to remote/ hybrid working, and geopolitical tensions.

With board oversight of technological capability, opportunity and risk critical to company success, regulators are increasingly focused on how companies report cyber risk and breaches in security. It is important for companies to tell the full story. Earlier this year, regulators published the following:

  • Digital Security Risk Disclosure – published by the UK FRC Lab in August; and
  • Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure – published by the US SEC in March.

In September, Deloitte published ‘Cyber risk and governance reporting in the UK: Improvement required!’.

 

Digital Security Risk Disclosure

The FRC Lab report is accompanied by a separate summary of findings and a report containing a risk disclosure example for a bank. The main report is designed to be of use to reporting and risk teams  who are involved in corporate reporting, and for audit committees who review the resultant disclosures.

When determining which disclosures to provide, consideration needs to be given to the needs of investors and stakeholders for information of sufficient quality and reliability that takes account of materiality and the potential sensitivity of information. Companies may consider disclosures that:

  • Explain how digital security and strategy are important to the company’s future business model, strategy and environment;
  • Provide detail of governance structure, culture and processes a company has in place to support digital security and strategy;
  • Identify the digital security risks and opportunities a company faces both now and into the future; and
  • Highlight the impact of internal and external events and the actions and activities that respond to these.

The FRC Lab report outlines a wide range of disclosure recommendations, under the headings of strategy, risk, governance and events. It concludes with guidance on what audit committees should consider to determine if a company’s disclosures clearly communicate sufficient information to meet stakeholder needs.

 

SEC – Cybersecurity Disclosures

The SEC has issued a proposed rule that would require registrants to provide enhanced disclosures about ‘cybersecurity incidents and cybersecurity risk management, strategy and governance’.

The proposed rule addresses concerns related to the pervasive use of digital technologies, shift to hybrid work environments, rise in the use of crypto assets, and increase in illicit profits from ransomware and stolen data, which continue to escalate cybersecurity risk and its related cost to registrants and investors.

Costs and consequences of a cybersecurity incident may include remediation expenses, lost revenues, litigation, increased insurance premiums, reputational damage, and erosion of shareholder value.

In 2011 and 2018, the SEC issued interpretive guidance that did not create any new disclosure obligations but rather presented the SEC’s views on how its existing rules should be interpreted in connection with cybersecurity threats and incidents.

The proposed rule would establish new requirements related to:

  • Material cybersecurity incidents, which would need to be disclosed on Form SEC 8-K within four business days;
  • Disclosures in SEC Annual Forms 10-Q and 10-K about cybersecurity incidents previously reported on Form 8-K;
  • Disclosures in SEC Form 10-K about (1) cybersecurity monitoring and risk management policies and procedures, (2) management’s role in implementing those policies and procedures, and (3) cybersecurity governance, including oversight by the board of directors; and
  • The presentation of disclosures in Inline eXtensible Business Reporting Language (Inline XBRL).

All types of periodic SEC filers would be affected by the proposed rule, including domestic registrants, foreign private issuers, smaller reporting companies, and emerging growth companies.

Of particular importance may be having clear protocols for escalating incidents, drafting the notifications, and obtaining the necessary approvals which can make the difference between (1) meeting tight notification deadlines and gaining credibility with the applicable regulator, and (2) missing the deadline and starting off having to explain to the regulator why the notification was late, which can undermine the regulator’s view of the overall competence of the response.

 

Corporate Reporting – Improvement Required

Our report ‘Cyber risk and governance reporting in the UK: Improvement required!’ is based on company disclosures across the FTSE 100.

The review of annual reports shows:     

  • Companies in every sector, although not every company, identify cyber as a principal risk – so companies should think carefully if they do not;
  • The value destruction from cyber risk is very high and can include customer service issues, costly remediation, regulatory fines and longer-term reputational damage. Detailed disclosure is now being called for to highlight board oversight;
  • The better disclosures are company-specific, year-specific and provide sufficient detail on actions and outcomes to give meaningful information to investors and other stakeholders;
  • Boards and board committees are increasingly educating themselves about the cyber threat and challenging management to implement stronger controls, focusing on technology capabilities, education of employees and engagement with suppliers;
  • Many companies are doing a lot in this area and should take credit for what they are doing, including describing who has executive responsibility, how they report to the board, board level responsibilities, the policy framework, internal controls, internal and external assurance, and disaster recovery plans; and
  • Finally, if company disclosure does not look strong enough after taking credit for what the company is doing already, it is worth enquiring if enough is being done to manage cyber risk: as company disclosure can only report on what companies actually do. 

The report sets out a number of observations and insights under the following headings:       

  • Do companies describe cyber risk clearly? The verdict: Improvement, but no cigar…
  • How do boards appear to be involved?
  • Are mitigating activities well explained?
  • How much are companies really saying about cyber breaches?
  • Tech transformation is accelerating – are companies keeping pace?

The report provides links to a number of illustrative examples of cyber risk and governance disclosure from the survey of FTSE 100 annual reports. These include the annual report of Weir Group PLC which clearly disclosed a cybersecurity incident that took place during the year and included the steps taken to remediate the incident.

The appendices to the report also include a summary of the key features of both the SEC proposed rule change and the FRC Lab report.

The report also makes reference to the findings of the report 'Digital frontier: a technology deficit in the boardroom'. The Deloitte Global Boardroom Program reports the findings of a survey covering more than 500 directors and C-suite executives and conversations with leaders, directors, and subject matter specialists to find out what’s being done in boardrooms around the world when it comes to technology.

The survey found that fewer than half of executives and board members surveyed believe their board is providing enough oversight of technology matters. Meanwhile, 44% of executives said that their board directors lack the knowledge they need to provide effective stewardship over technology strategy.

 

Conclusion

Investment in technology can transform performance and support companies in protecting against the risks of cyber attacks. Companies need to reasonably assess whether they have the experience and expertise necessary to deal with these risks, to understand where any gaps are, and to determine where they may need to engage with external advice and assistance. 

Strong disclosure of risks and mitigating features both explains the opportunities and explores the changes in risk profile, helping investors to form a view on whether a company is doing enough to manage its risk and embrace opportunity.

Resources and Publications

Governance in focus — On the board agenda 2022

Our annual review of board topics will stimulate your thinking and help prepare you for the year ahead. Across the board, expectations of business are rising and it is this demanding environment which shapes the articles in this year’s publication.

 

Closing Out 2021

Welcome to our one-stop guide covering the issues relevant to the preparation of December 2021 annual reports.

 

Annual Report Insights 2021 - Surveying FTSE Reporting

Surveying FTSE reporting. Our yearly survey scours the annual reports of 100 listed UK companies and provides insight and inspiration ahead of the next reporting season.

 

IFRS Model Financial Statements 2022

The Model for 2022 illustrates the presentation and disclosure requirements of IFRS Standards and also contains ‘best practice’ examples.

 

IFRS in your pocket 2022

IFRS in your pocket is a comprehensive summary of the current IFRS Standards and Interpretations along with details of the projects on the standard-setting agenda of the International Accounting Standards Board.

 

IFRS e-learning website

Our IFRS e-learning platform allows external users to complete over 40 of Deloitte’s IFRS e-learnings free of charge with 6 million+ uses in recent years.

 

Understanding the differences between U.S. GAAP and IFRS Standards

A comprehensive 380-page publication focusing on some of the most common and significant differences that may affect financial statements when converting from U.S. GAAP to IFRS Standards and vice versa. Updated to 2022.

 

Corporate governance reporting highlights - areas for future focus

Key messages and expectations for further improvements in corporate governance reporting and examples of better disclosure.

 

IFRS Foundation Trustees' sustainability reporting initiative

Summary of continuing developments.

 

New IAS Plus resource page

Highlights some of the key accounting and disclosure issues to be considered by entities that may arise as a result of COVID-19 in preparing financial statements.

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey