Cyber Resilience – Prevention Rather Than Cure
September 2017
Now that the business world’s attention has been grabbed by recent cyber security breaches such as those endured by TalkTalk, the NHS, the UK Parliament and further afield Equifax, it’s a good time to think about how we can move the business world onto a more assured footing to help it meet this evolving challenge. It is all the more opportune now we have come to the end of Cyber Security week.
Achieving some form of minimum and consistent approach to cyber security would be a start, but how to do it?
I wonder if we can help to align the stars on this one?
The Finance Reporting Council (FRC) the guardian of good corporate governance in the UK has a live consultation on corporate annual strategy reporting at present. Reviews of this kind do not come around very often. The FRC offers corporate governance guidance and publishes the UK Corporate Governance code. It offers guidance in support of the Companies Act 2006 which also mandates certain corporate behaviour. The guidance covers the content of annual reports, both the strategy and the governance, and finance reports. Non-financial reporting is covered by the reports and includes requirements to report on diversity and corporate social responsibility amongst other things. From my reading there is little reference to cyber security. This seems to be an important omission given the risk to reputation and the functioning of most businesses that cyber breaches present nowadays. It therefore seems reasonable that stakeholders (shareholders, potential investors, suppliers, regulators and the wider population) should be given some reassurance about the status and robustness of a company’s cyber security arrangements.
My proposition is that the FRC guidance should include a requirement to explicitly report on cyber security and to assess it against an accepted standard.The government offers such a standard in its Cyber Essentials guidance. This guidance provides a framework that a company should seek to comply with to give a minimum level of cyber security assurance. I suggest that companies report their compliance with the guidance and adopt the ‘comply or explain’ approach to reporting against it. This could be by self-assessment or conducted by a trusted third party, or a combination of both.
In addition to the FRC guidance on annual reporting the UK Listing rules could also adopt a similar approach. The Listing rules set out what a company needs to comply with in order to seek approval to pursue a public flotation. The mandatory company prospectus could include their compliance with the cyber essentials on a ‘comply or explain’ basis also. Companies that are not listed may see value in benchmarking themselves against the criteria too, either to reassure their investors or in anticipation of a public listing in the future.
There may well be some refinement and further development of this proposal that is required before it could be adopted but it seems to me that this could offer the basis for a formal structured step forward to ensuring greater cyber security resilience, for UK listed and based companies at least.
I have replied to the FRC consultation along the above lines.