Cyber

Despite cybersecurity representing a strategic and even existential risk to organizations today, stakeholder transparency and a strategic vision to manage it are often lacking. Too frequently, transparency is achieved only after a significant security incident.

This is a problem. A core element of risk management involves senior oversight, ensuring that business leaders actively engage in the risk management process and that investors (and other key stakeholders) are informed and can take comfort knowing that such risks are being actively, and proportionately, addressed.

What’s more, if cybersecurity risk transparency surfaces only after a breach, organizations will keep paying a premium in recovery costs. This is significant when you consider that the recent Marks & Spencer and Jaguar Land Rover breaches were estimated to have cost GBP 650 million to 2 billion in value. With major brands and multiple industries being hit simultaneously, this has the potential to negatively impact GDP.

Today’s boards should become much more invested in cybersecurity matters, to fully understand the risks they present and the impact an incident can have. Directors need to be aware of these risks as part of their ongoing governance roles.

These incidents can have an operational impact, and during a disruption, firms encounter an immediate need for financial triage through cash‑flow analysis and management of the associated supply chain risks. In the longer term, businesses face the challenge of sustaining operational stability and stakeholder confidence once the incident has passed.

Significantly, it is worrying that transparency regarding cyberattacks is more often than not the outcome from an incident, rather than a contributing factor in preventing incidents in the first place.

 

A Watershed Moment in Cyber Transparency

Our team at Kroll recently conducted a study on 12 publicly disclosed cyberattacks on listed companies across nine industry sectors over a multi-year period. Our research analyzed the impact of a cyberattack on the disclosure and transparency of cyber resilience in their annual reports.

Our findings were telling and starkly point to the need to continue enhancing board and investor awareness on cybersecurity risks:

• Over 100% increase in mentions of “cyber” in annual reports for 8 of the 12 companies
• Nearly fourfold increase in mentions of “cyber” post-breach compared to pre-breach
• Eightfold increase in mentions of “incident” post-breach compared to pre-breach
• Mentions of “security” rose from 20 to 62, on average, a 210% increase
• These increases in transparency were sustained for more than two years post breach

While a control group of companies across the same sectors also saw an increased focus on cybersecurity in their reporting—as you would expect given the evolving complexity of the threat landscape—the breached firms saw an increase three times larger than the control group.

Cyber incidents constitute a watershed moment for organizations, and this is reflected in the communication and detail they provide about cyber resilience in their annual reports, although, interestingly, terms such as “ransom,” “ransomware” and “data breach” were largely static across all periods. This finding likely indicates that while detailed narratives of incidents were not disclosed, as is understandable, there was a significantly larger emphasis on cybersecurity governance after the incident, as well as a change in tone and sentiment to position cyber resilience as a core strategic issue, as opposed to a technical risk to be managed.

Critically, the increase in narrative around cybersecurity in annual reports happened only after a cyberattack caused significant disruption and financial and reputational loss. Therefore, we can conclude that a cybersecurity breach inevitably results in significantly greater transparency over a long time period. That begs the question, “Is there currently enough scrutiny around cybersecurity reporting to truly achieve resilience?” Further, is your board challenging the information about cyber risk and resilience enough, and are you being open enough with your investors and other critical stakeholders?

 

Too Little, Too Late

Companies and their directors have a corporate responsibility to their shareholders, their customers and other stakeholders to manage their cyber risk and resilience effectively. The shift to an increase in reporting on cybersecurity in annual reports following an incident, however, indicates a potential lack of transparency or focus before a security breach.

The true issues behind this lack of transparency are likely complex. In a best-case scenario, companies don’t see the need to provide details on cyber resilience in reports until they have an issue. They manage many risks and don’t provide this level of detail for other major risk groups. In another scenario, there are not enough checks and balances to provide detail within a report on cyber resilience. In a worse-case scenario, perhaps the lack of transparency indicates a deeper governance problem, brought to light only once an attack has happened and stakeholders have been forced to focus on and understand the scale of impact a cyberattack brings. Cybersecurity can become an existential issue, and it is a core strategic priority. Such risks necessitate focus and stakeholder transparency. It is not enough to realize this only after a major business impact has been navigated.

 

Can Regulation Force Transparency?

Given the sheer financial loss attributed to recent cyber incidents—in sales, revenue, and reputation and corporate valuation—combined with the fact that governments are increasingly being drawn into this field as the scale of impacts increases, it is no wonder that governments and regulatory bodies are becoming increasingly concerned with cybersecurity.

In the UK the Cyber Security and Resilience (Network and Information Systems) Bill proposes new laws to protect public services and represents a significant step forward in the national journey to collective resilience. However, it is important to recognize that this bill alone will not solve the UK’s cybersecurity problems overnight. Indeed, none of the Marks & Spencer, Jaguar Land Rover, Harrods or Coop incidents would have been captured by this bill, as these businesses are not deemed critical national infrastructure (CNI). These incidents alone represent nearly GBP 2.5 billion of economic impact, and with the many other incidents that fly below the thresholds of the bill, the cumulative impact is significant.

The Cyber Security and Resilience (Network and Information Systems) Bill and other regulations, such as the U.S. Securities and Exchange Commission rules regarding incident disclosure, are strong steps forward in cross-sector resilience and provide a solid foundation for building cyber resilience. There remains a long way to go for organizational cyber resilience to bubble up into national—or even global—cyber resilience. Indeed, much of the regulation we see mandates post-breach reporting; however, none require proactive transparency in annual reporting or other investor relations. Such reporting is left to the organization and its stakeholders to work out for themselves, often resulting in an absence of required detail.

 

How Kroll Supports Cyber Resilience

Kroll’s research into mentions of “cyber” in the annual reports of several companies that have suffered public cyberattacks is only the tip of the iceberg when it comes to managing transparency and governance regarding cybersecurity. But this study underscores the importance of having good cyber governance practices before a cyberattack, so an analysis of cyber risk can be given when required and so the focus on cybersecurity as a core strategic risk (as opposed to a technical challenge) is evident to those who need such assurances—either in annual reports or via board challenges.

We don’t pretend that getting a handle of cyber governance is easy. Often it will require third-party expertise:

• To know how to assess cyber resilience, and importantly, to independently challenge your understanding of your company’s capabilities
• To offer practical advice on building cyber resilience or enhancing existing capabilities to keep up with the evolving threat landscape
• To advise on appropriate disclosure of resilience markers to convey cyber resilience risk
• To know the long-tail contextual implications of cyber resilience, e.g., financial modeling of a potential cyber incident, allowing for capital reserves to be appropriately reviewed

Kroll offers integrated support across cybersecurity, financial, governance and operational domains. Our Cyber and Data Resilience team provides 24/7 monitoring, incident response retainers and threat intelligence briefings tailored to the retail sector. We help clients strengthen detection capabilities and prepare for emerging threats. We support both large-scale transformation and tactical, targeted capability uplifts for our clients to help mitigate cyber threats.

In the event of an attack, Kroll’s Restructuring professionals deliver immediate financial support and advice, including short- and long-term cash-flow forecasting, refinancing options and insurance claims support. We also offer interim management, deploying experienced leaders such as chief restructuring officers and directors to take control of stressed situations and assist in negotiations with key stakeholders and suppliers, while implementing operational and financial restructurings.

Our Business Transformation team works alongside cybersecurity specialists to redesign operating models and improve efficiency across stores, supply chains and digital channels. This work includes scenario modeling to guide decisions about liquidity, lender negotiations and omnichannel performance, helping retailers stabilize operations and recover with confidence.

Our Enterprise Security Risk Management team brings significant organizational resilience expertise to bear, including on physical security, insider threat management and business continuity/crisis management in both CNI and non-CNI environments. This team complements our cybersecurity specialists, ensuring that recovery plans are holistic, enterprisewide capabilities that integrate across a range of impact areas and solutions. Learn more about how Kroll can assist you in building cyber resilience.

Get in Touch