News + Resources

Around the world companies are being required by regulators more extensively to report on the steps they are taking to minimise their impact on the environment, demonstrate how well they are managed and how they manage their impact on society (the ESG agenda). There is increasing shareholder pressure for better behaviour; already there are claims of ‘greenwashing’ – where it is claimed companies cynically seek to enhance their green credentials e.g. by selective reporting, or minimising pollution incident data.  While companies have no such requirement yet to report on their approach to cyber, regulators are beginning to look at mandating that companies provide assurance to the markets, that they have a grip on their cyber risk. Most companies include some references to cyber in their strategic risks.  But it is generally cursory and gives no confidence.   Should companies report more on their cyber posture? 
Or would such disclosure increase the risk (and impact) of a successful attack?  It’s a fine line – we can help you walk it. 

Who needs to know what? 

Company Directors have obligations under law to operate their business professionally, in the interests of the shareholders, who have invested their capital in the hope and expectation of a positive return on their investment. They are required to produce accounts; over a certain size these accounts need to be externally audited to ensure the appropriate financial and management systems and controls are in place, and that the shareholders get a ‘true and fair’ picture of the company’s performance.   

Some ESG legislation has made its way into the Companies’ Act: e.g mandatory reporting on Greenhouse gas emissions and Energy consumption; and there are regulations requiring reporting on the Gender Pay Gap and Modern Slavery.  Further mandatory climate related disclosures are expected.  But ultimately it is the Company that decides what to disclose. 

Intelligent Shareholder engagement 

While shareholders might want to know what companies are doing to protect their data assets, this is not information that companies want broadcast.  Nor is it sensible for shareholders to assume that their scrutiny will reduce the likelihood or impact of a cyber breach to zero.  Investors are unlikely to be able to form much of a value judgement as to the competence (or not) of their companies’ cyber security activities.  

Shareholders need confidence that the companies in which they have invested are deploying their capital judiciously.  Some institutional investors require certain policies on dividends and performance.  Big institutional investors (e.g. pension funds) like a degree of certainty and low share price volatility.  Shareholder activism is increasing – with investor companies leveraging their shareholding to require changes in direction by management. 

Regulators and governments are increasing pressure on companies, particularly those operating assets constituting critical state infrastructure (utilities, finance, transportation, health etc), to devote more attention to, and greater responsibility for, their cyber resilience. But so far, investors have yet to demand more information and reassurance that the companies in which they invest are taking adequate steps to protect themselves against cyber threats. 

Where Astaara can help:  we can help you align your business, and to ensure your leadership has clear line of sight from risk identification through to mitigation and management of residual risk. 

Why should this matter?   

A cyber attack, badly handled, can prove fatal to a company. Even minor breaches can destroy value, spook investors and poison the relationship between them and the management.  While there are rules about the treatment and protection of physical or financial assets, there is as yet, no formal protection for data assets which, for some companies, are their main source of value – and their Achilles’ heel. 

Shareholders are unique in their ability to hold Directors to account for their stewardship of company assets.  And since their role is as much about looking ahead and endorsing company strategy as it is about reaping the reward for successful business conducted, they are perhaps the only group who can exert pressure on company directors to do more pre-emptively to protect the business. In most cases, cyber breaches are usually facilitated by a failure to protect systems, a lack of adequate training; and poor contingency planning – and mostly they come as a surprise. 

Shareholders would be better served if they required Boards to demonstrate that cyber issues were being effectively managed, software was kept up to date, and that there were processes and protocols in place to manage the risk.  While this may require additional expenditure and/or capital, it would reduce the impact of a breach and keep shareholders onside. 

Bottom Line 

Cyber breaches are a fact of life – and while it is impossible to stop them all, companies have to be able to respond quickly and reassure staff, markets, regulators and shareholders that they are being run properly and are prepared for such a contingency.  Poor cyber hygiene puts capital and shareholder value at risk. 

As both an insurer and a risk advisory business Astaara can help you progressively to manage this risk, and to improve your cyber posture over time.