Kayla Gillan Leader, Investor Resource Institute PWC

A new report from PwC US and the Investor Responsibility Research Center Institute (IRRCi) indicates that while companies must disclose significant cyber risks, those disclosures rarely provide differentiated or actionable information. The report examines key cybersecurity threats to corporations and provides information to investors struggling to evaluate investment risk, business mitigation strategies, and the quality of corporate board oversight. 

“Cybersecurity has moved from the back office to the corporate board room because it poses a deep threat to a company’s bottom line and reputation,” said Jon Lukomnik, executive director of the Investor Responsibility Research Center Institute.  “The reality today is that virtually every company is reliant on information and technology, so not one company or sector is left out.”   

Lukomnik added, “The severity of the gap between the magnitude of cybersecurity threat and the lack of steps boards have taken to address the risks is a key issue for investors and policy makers alike. In recent weeks both Securities and Exchange Commissioner Luis Aguilar and Treasury Secretary Jack Lew have made public comments regarding cybersecurity issues.”  Lukomnik explained, “Even when Boards do act, investors often feel in the dark on cybersecurity.  First, it’s dynamic and highly technical.  Second, companies can be reluctant to disclose details on threats because they are concerned about providing hackers with a roadmap to vulnerabilities.” 

What Investors Need To Know About Cybersecurity: How to Evaluate Investment Risks (add link) was commissioned by IRRCi and authored by Kayla Gillan, leader of PwC’s Investor Resource Institute, and PwC Advisory principals Joe Nocera and Peter Harries.  Both Nocera and Harries are leaders in PwC’s cybersecurity practice. 

“This report is designed to help investors begin to navigate critical cybersecurity issues, with a focus on sector-specific portfolio risk,” said Gillan. “It outlines cybersecurity trends, industry threats and strategies investors can pursue to evaluate risk, even with limited information.”

The report suggests that investors focus on corporate preparedness for cyber attacks, and then engage with highly-likely targets to better understand corporate preparedness, and to demand better and more actionable disclosures (though not at a level that would provide a cyber-attacker a roadmap to make those attacks).

“The consequences of poor security include lost revenue, compromised intellectual property, increases in costs, impact to customer retention, and can even contribute to C-level executives leaving companies,” said Nocera.  “This paper can help investors ask the ‘right’ questions to assess the level of risk they may be facing.”

The study suggests investors ask the following key questions:

• Does the company have a Security & Privacy executive who reports to a senior level position within the company?
• Does the company have a documented cybersecurity strategy that is regularly reviewed and updated?
• Does the company perform periodic risk assessments and technical audits of its security posture?
• Can senior business executives explain the challenges of cybersecurity and how their company is responding?
• What is the organization doing to address security at its business partners?
• Has the company addressed its sector-based vulnerability to cyber attack?
• Does the organization have a response plan for a cyber incident?

The study also outlines common motivations for cyber-attacks, by industry sector, based on PwC experience:

The Investor Responsibility Research Center Institute is a nonprofit research organization that funds academic and practitioner research that enables investors, policymakers, and other stakeholders to make data-driven decisions.  IRRCi research covers a wide range of topics of interest to investors, is objective, unbiased, and disseminated widely.  

PwC’s Investor Resource Institute

Through the Investor Resource Institute, PwC strives to provide insights to, and recieve insights from, the investment community.  We offer our views on accounting, auditing, corporate reporting, data security, and a myriad of other issues; as well as transparency about what we do that may be of interest to investors.  We host events large and small, that are designed to strengthen the bridge not only between PwC and the investment community, but also between investors and others.

About PwC US

PwC US helps organizations and individuals create the value they're looking for. We're a member of the PwC network of firms in 157 countries with more than 184,000 people. We're committed to delivering quality in assurance, tax and advisory services.