By Steffen Müller

The US companies’ disclosures of cyber risks rarely provide differentiated or actionable information, PwC US warned in a joint report issued in collaboration with the Investor Responsibility Research Center Institute (IRRCi).

The report, What investors need to know about cybersecurity: How to evaluate the investment, encourages investors to demand better and more actionable disclosure on the companies’ cybersecurity policy across all industry sectors.

"The reality today is that virtually every company is reliant on information and technology, so not one company or sector is left out," IRRCi executive director Jon Lukomnik said.

According to the report, the topic of cybersecurity "has moved from the back office to the corporate board room," since poor cybersecurity can lead, amongst others, to lost revenue, compromised intellectual property or increases in costs.

However, the steps the boards take to address potential cyber risks tend to be hesitant and often lack disclosure and transparency for investors struggling to evaluate investment risk, the report read.

"Even when boards do act, investors often feel in the dark on cybersecurity," Lukomnik said and continued: "First, it’s dynamic and highly technical. Second, companies can be reluctant to disclose details on threats because they are concerned about providing hackers with a roadmap to vulnerabilities."

PwC investor resource institute leader Kayla Gillan said that the investors should "begin to navigate critical cybersecurity issues, with a focus on sector-specific portfolio risk." The report suggests therefore that investors should question if there is a strong expertise in cybersecurity on the senior level of the company and if the company has response plans for cyber incidents.

According to the joint report, cyber-attacks affecting industry sectors happen for different reasons. While the financial services and the retail sectors become victim mostly out of financial gain and greed, attacks on the energy, the aerospace & defence and the government sector are often political motivated.

Related links:


Report: What investors need to know about cybersecurity: How to evaluate the investment?