FRC proposes enhanced disclosures over digital security risk

In a bid to recognise the growing impact and importance of digital transformations and their associated risks, the FRC has published a discussion paper (DP) setting out their view on how to enhance disclosures over digital security risk.

At a glance, the DP calls out that:

• Digital systems, process and data, and therefore digital security risk, are fundamental to business continuity, resilience, and value creation. Therefore, disclosures should provide relevant information to assist investors in assessing a company’s ability to remain viable and resilient
• Investors believe current disclosures around digital security are inadequate and often ‘boilerplate’
• There are a number of factors driving greater focus on enhanced digital security risk disclosures including:
  • Recent high profile cyber incidents that show the potential for operational and financial disruption to companies
  • Accelerating pace of digital transformation
  • Evolving stakeholder demands around digital and data security
  • Intensified geopolitical tensions.

The FRC DP sets out a framework detailing how companies can look to enhance their digital security risk disclosures. For the purpose of the DP, the FRC defines the risk as follows:

• Digital security risks: the operational, financial, reputational and stakeholder risks caused by cybersecurity threats, including the risk of major data breaches arising from internal lapses
• Digital strategy risks: the operational, financial, reputational and stakeholder risks caused by moving to a digital business model (also referred to as digital transformation) and increased reliance on data.

Overview

The enhanced disclosures present companies with an interesting challenge and opportunity. To meet the requirements, businesses should demonstrate how their digital strategy will deliver safely and securely, giving stakeholders confidence in their strategy and future . As digital risk, cyber and resilience concerns become more pressing, it is important that these disclosures present an accurate picture of the company’s security position and what actions they are taking to continually improve this. How do companies apply measures and controls in order to manage and demonstrate this in disclosures? Our guidance focuses on four key areas:

• Strategy
• Governance
• Risks
• Security incidents.

Strategy

At the outset, it is key to determine how the digital transformation strategy in your organisation complements the wider business strategy, and what significant actions the company should take in order to add value as part of the transformation. It is also critical to disclose how digital transformation will impact the wider strategic objectives of the company, including specific challenges that might arise throughout.

How the organisation monitors external trends and challenges should also be disclosed, with detail on how these are informing future decisions, as well as what changes to the digital strategy have been made in the last 12 months as a result of this.

When disclosing strategy, consider:

• Controls in place to ensure the digital strategy is refreshed and aligned to corporate strategy
• How horizon scanning is conducted and how information is reported into strategy controls
• KPIs for measuring effectiveness of the transformation that supports the overall strategy.

Governance

Disclosures should include an overview of the committees, structures and controls that manage and monitor the digital strategy and security risks arising within an organisation. Additionally, they should detail the significant items discussed by these governing bodies and how this informs the digital transformation strategy and security position.

Finally, its critical to identify actions taken by the company to support awareness of the digital security internally and how the organisation is responding to the opportunities and threats they observe as part of their strategy discussions.

When disclosing governance, consider:

• What training and support is provided to upskill individuals’ cybersecurity knowledge
• How the recruitment process determines that appropriately skilled persons are selected
• The role of internal audit and the audit committee in relation to digital security and strategy
• What steps are being taken to ensure the board and management have the required expertise.

Risks

Potential risks arising from digital security strategies should be disclosed, including how these could evolve and materialise over time. It is key to provide appropriate detail of the actions and activities undertaken to mitigate and manage these risks. The increasing level of reliance on third parties is a challenge, as it can cause confusion with who is responsible for ownership and management of risks.  When disclosing risks, consider:

• Information on effectiveness of control environments around new and existing platforms and processes
• Details of reviews undertaken by assurance functions within the company
• How risks are reported to those charged with governance, to provide an accurate view of the threat landscape, vulnerabilities and risk appetite.

For more detail on the pervasive risks involved in digital transformation, see our 2022 Global Digital Risk Survey.

Security incidents

Disclosures should focus on the impact of digital security events (incidents and outages) and how the company has responded to these. Particularly where a company has been subject to a cyber incident, the following items should be disclosed:

1. The incidents that occurred, if any, the impact upon the company, and whether incident response plans functioned correctly
2. Actions undertaken to mitigate the impact, and how effective these were
3. The financial impact of the incident
4. How the board facilitated the recovery from the incident
5. Improvements made in response to the incident.

Further to this, consideration should be given as to whether the incident had been foreseen, and how the governance structures and controls in place had functioned to effectively mitigate or remediate the incident. For any US listed business there needs to be further consideration on how to apply upcoming guidance from the SEC. Potential new requirements will also mean management will need to:

1. Disclose when a series of individually immaterial incidents, that are previously unreported, become material in the aggregate
2. Provide updated disclosures on previously reported cyber incidents.

In summary

The key challenges with enhancing digital strategy and security risks disclosures is implementing the appropriate controls, structures, data points, reporting and the necessary KPIs and information to:

• Ensure a digital strategy which aligns to the business strategy and will be safely and securely implemented, adding value to the organisation
• Prove that the effectiveness of functions and activities ensure digital security risk is being proactively controlled and managed.

If you are need of support in enhancing the disclosures or the effectiveness of your controls framework please get in touch with a member of our team.