FRC proposes enhanced disclosures over digital security risk | Deloitte UK has been saved
Limited functionality available
In a bid to recognise the growing impact and importance of digital transformations and their associated risks, the FRC has published a discussion paper (DP) setting out their view on how to enhance disclosures over digital security risk.
At a glance, the DP calls out that:
The FRC DP sets out a framework detailing how companies can look to enhance their digital security risk disclosures. For the purpose of the DP, the FRC defines the risk as follows:
The enhanced disclosures present companies with an interesting challenge and opportunity. To meet the requirements, businesses should demonstrate how their digital strategy will deliver safely and securely, giving stakeholders confidence in their strategy and future . As digital risk, cyber and resilience concerns become more pressing, it is important that these disclosures present an accurate picture of the company’s security position and what actions they are taking to continually improve this. How do companies apply measures and controls in order to manage and demonstrate this in disclosures? Our guidance focuses on four key areas:
At the outset, it is key to determine how the digital transformation strategy in your organisation complements the wider business strategy, and what significant actions the company should take in order to add value as part of the transformation. It is also critical to disclose how digital transformation will impact the wider strategic objectives of the company, including specific challenges that might arise throughout.
How the organisation monitors external trends and challenges should also be disclosed, with detail on how these are informing future decisions, as well as what changes to the digital strategy have been made in the last 12 months as a result of this.
When disclosing strategy, consider:
Disclosures should include an overview of the committees, structures and controls that manage and monitor the digital strategy and security risks arising within an organisation. Additionally, they should detail the significant items discussed by these governing bodies and how this informs the digital transformation strategy and security position.
Finally, its critical to identify actions taken by the company to support awareness of the digital security internally and how the organisation is responding to the opportunities and threats they observe as part of their strategy discussions.
When disclosing governance, consider:
Potential risks arising from digital security strategies should be disclosed, including how these could evolve and materialise over time. It is key to provide appropriate detail of the actions and activities undertaken to mitigate and manage these risks. The increasing level of reliance on third parties is a challenge, as it can cause confusion with who is responsible for ownership and management of risks. When disclosing risks, consider:
For more detail on the pervasive risks involved in digital transformation, see our 2022 Global Digital Risk Survey.
Disclosures should focus on the impact of digital security events (incidents and outages) and how the company has responded to these. Particularly where a company has been subject to a cyber incident, the following items should be disclosed:
Further to this, consideration should be given as to whether the incident had been foreseen, and how the governance structures and controls in place had functioned to effectively mitigate or remediate the incident. For any US listed business there needs to be further consideration on how to apply upcoming guidance from the SEC. Potential new requirements will also mean management will need to:
The key challenges with enhancing digital strategy and security risks disclosures is implementing the appropriate controls, structures, data points, reporting and the necessary KPIs and information to:
If you are need of support in enhancing the disclosures or the effectiveness of your controls framework please get in touch with a member of our team.
Charlotte is a Partner who leads Deloitte’s Technology and Digital Risk team. With over 15 years delivering risk, security, access and controls engagements, she has led end-to-end delivery of financial, access and operational risk management and controls reviews for clients. Charlotte has worked with major clients and provided insightful structures and recommendations to improve their control environment. She has also worked with clients to harmonise and automate control environments, both as technology and digital implementations as well as control remediation and optimisation programmes. Charlotte also leads our Digital Risk practice for all our corporate and public sector clients. Her focus has been on providing organisations with the knowledge and confidence to understand, anticipate and respond to the digital risks and issues. Charlotte has led numerous projects in supporting major organisations in their understanding, mitigation and remediation of complex emerging technology risks. She has performed digital security and control assessment across many regulatory requirements in addition to supporting organisations understand non-regulatory risks. Charlotte also leads a security managed service for one of the world’s largest retailers.
Haroon is a Senior Manager within the Deloitte Risk Advisory practice and co-leads our Cyber Risk and Assurance propitiation nationally at Deloitte, leading Cyber Security engagements across the Financial Services, Public sector and Corporate clients. Haroon has a strong IT Audit, Risk and Advisory background in a cross-section of sectors. He is experienced in a number of areas in particular Cyber Security & Assurance and has over 10 years' of experience working in the Financial Services, Corporate and Public Sector.
Adam is a Senior Manager in Deloitte’s Risk Advisory Digital Controls team. Adam helps organisations across a variety of sectors to transform, assure and execute their technology controls. Adam is specifically interested in helping risk and compliance functions.