Cybersecurity risk management isn’t just a concern for the IT department. For public companies, poor cyber risk mitigation is a governance issue with a significant potential impact on operations and financial performance – along with stock performance, investor perceptions, and regulatory compliance.
High-profile cybersecurity attacks have dominated the news, and public companies like Uber, Activision, and others have all experienced public cybersecurity incidents in recent months. The increasing number of cyber attacks and data breaches has prompted regulatory bodies in the United States and Europe to add cyber risk to the scope of their rules. With the risk of attack high, and increasing focus on the topic from investors and regulators, companies must take proactive measures to protect their assets and ensure the continued success of their business.
Potential Impact of Cyber Risk
A cyber attack or data breach can have a significant financial impact on a company, potentially leading to a loss of revenue, higher expenses, and damage to the company’s reputation. This can result in a decline in stock price and investor confidence. Indeed, companies should be mindful of investor perceptions. With the increasing number of attacks and data breaches, investors are becoming more aware of the risks associated with cyber threats. As a result, investors are increasingly demanding that companies disclose information about their cybersecurity risks and incidents in their financial filings. Public companies that fail to transparently manage their cybersecurity risks may be at a competitive disadvantage in the marketplace.
Cybersecurity Regulation
Public companies also need to be mindful of the growing impact of cybersecurity risk management on regulatory compliance. Last year, the U.S. Securities Exchange Commission (SEC) proposed new disclosure requirements for public companies regarding both specific cybersecurity incidents, and their broader risk management policies and governance of the topic. This includes the details of any actual breach, an explanation of the board and management’s role in overseeing cybersecurity risk, and the background on which directors and executives have relevant background in this area. Moreover, companies that fail to manage their cybersecurity risks effectively may be subject to fines, legal action, and reputational damage – for example, the EU’s General Data Protection Regulation (GDPR) imposes significant fines for companies that fail to comply with regulations. The Network and Information Security (NIS), the first EU-wide cybersecurity legislation, and its successor, NIS2, urge businesses in certain sectors that heavily depend on ICTs (Information and Communication Technology), such as energy, transport, banking, financial market infrastructures and healthcare, to take appropriate cybersecurity measures and provide timely notifications to relevant authorities in case of serious incidents.
Public companies must take proactive measures to manage their cybersecurity risks in order to protect their assets and ensure the continued success of their business. But what are the best practices for public companies to manage their cyber risks and comply with the regulations?
***
Cybersecurity Solutions from Glass Lewis and BitSight
Glass Lewis is partnering with BitSight to help public companies and their investors tackle the significant and constantly changing challenge of understanding cybersecurity risk.
In 2011, BitSight created the world’s first cybersecurity rating system and has since partnered with many of the world’s leading investment organizations including Glass Lewis and Moody’s to improve investor and market awareness of cyber risks. Today, thousands of investors, enterprises, insurers, government institutions and other market stakeholders trust BitSight’s independent ratings and data to make better risk management decisions.
BitSight continuously and non-intrusively collects cybersecurity performance data about public and private companies. Using this data, BitSight creates quantitative, objective ratings and analytics that are similar to credit scores and updated daily. Independently studies show that BitSight’s ratings and analytics are significantly correlated with cybersecurity incidents. Poor cybersecurity performance as measured by BitSight increased an organization’s risk of experiencing a cybersecurity incident.
Glass Lewis partnered with BitSight to launch the Cybersecurity Risk Evaluation Solution for public companies. The solution enables public companies to receive a customized analysis of their cyber risk issues along with guidance on how to communicate their cyber risk mitigation plan to their stakeholders and shareholder.
Glass Lewis is also leveraging the cybersecurity expertise of BitSight to provide clients insight into the level of cyber risk that a company is exposed to. Glass Lewis Proxy Papers feature a point in time snapshot of a public company’s cybersecurity performance, as of the first day of the current quarter, pulled directly from the BitSight platform. The report features the company’s overall BitSight Security Rating and how the organization benchmarks against its peers in 20 major risk categories.
Investors use BitSight to manage cyber risk to their portfolios and help with engagement strategy. BitSight’s analytics help investors assess the effectiveness of the policies, controls, governance and procedures that a company is implementing, providing investors greater visibility into how well the cyber risk program is being executed. BitSight’s measurements also provide investors with further validation of management’s intentions. BitSight’s data is not only useful as a risk screen. Independent analysis has found that investors leveraging BitSight Security Ratings in an investment strategy can earn higher returns while reducing risk.
The Cybersecurity Risk Evaluation Solution helps guide public companies to identify and mitigate cyber risk and communicate their plan to the market. BitSight cybersecurity analysis in Glass Lewis Proxy Papers provides a comprehensive and accessible relative overview of key portfolio risks and opportunities, integrated directly into Glass Lewis’ industry-leading proxy voting and governance reports.
If you represent a public company, please click here for a review of how we can help with your cyber risk mitigation strategies.
If you are investor, please click here to learn more about cyber risk information in our Proxy Paper reports.