PwC and IRRC Institute Release New Cybersecurity Report; Offers Investors Strategies to Evaluate Risk Amid Opaque Corporate Disclosures

Webinar on August 20, 2014 to Review Report Findings

NEW YORK, NY, July 31, 2014 – A new report from PwC US and the Investor Responsibility Research Center Institute (IRRCi) indicates that while companies must disclose significant cyber risks, those disclosures rarely provide differentiated or actionable information. The report examines key cybersecurity threats to corporations and provides information to investors struggling to evaluate investment risk, business mitigation strategies and the quality of corporate board oversight.

“Cybersecurity has moved from the back office to the corporate board room because it poses a deep threat to a company’s bottom line and reputation,” said Jon Lukomnik, executive director of the Investor Responsibility Research Center Institute (IRRCi).  “The reality today is that virtually every company is reliant on information and technology, so not one company or sector is left out.”

Lukomnik added, “The severity of the gap between the magnitude of cybersecurity threat and the lack of steps boards have taken to address the risks is a key issue for investors and policy makers alike. In recent weeks both Securities and Exchange Commissioner Luis Aguilar and Treasury Secretary Jack Lew have made public comments regarding cybersecurity issues.”  Lukomnik explained, “Even when Boards do act, investors often feel in the dark on cybersecurity.  First, it’s dynamic and highly technical.  Second, companies can be reluctant to disclose details on threats because they are concerned about providing hackers with a roadmap to vulnerabilities.”

What Investors Need To Know About Cybersecurity: How to Evaluate Investment Risks was commissioned by IRRCi and authored by Kayla Gillan, leader of PwC’s Investor Resource Institute, and PwC Advisory principals Joe Nocera and Peter Harries.  Both Nocera and Harries are leaders in PwC’s cybersecurity practice.

“This report is designed to help investors begin to navigate critical cybersecurity issues, with a focus on sector-specific portfolio risk,” said Gillan. “It outlines cybersecurity trends, industry threats and strategies investors can pursue to evaluate risk, even with limited information.”

The report suggests that investors focus on corporate preparedness for cyber attacks, engage with highly-likely targets to better understand corporate preparedness, and demand better and more actionable disclosures (though not at a level that would provide a cyber-attacker a roadmap to make those attacks).

“The consequences of poor security include lost revenue, compromised intellectual property, increases in costs, impact to customer retention, and can even contribute to C-level executives leaving companies,” said Nocera.  “This paper can help investors ask the ‘right’ questions to assess the level of risk they may be facing.”

The study suggests investors ask the following key questions:

  • Does the company have a Security & Privacy executive who reports to a senior level position within the company?
  • Does the company have a documented cybersecurity strategy that is regularly reviewed and updated?
  • Does the company perform periodic risk assessments and technical audits of its security posture?
  • Can senior business executives explain the challenges of cybersecurity and how their company is responding?
  • What is the organization doing to address security at its business partners?
  • Has the company addressed its sector-based vulnerability to cyber attack?
  • Does the organization have a response plan for a cyber incident?
The study also outlines common motivations for cyber-attacks, by industry sector, based on PwC experience:



The full report is available here.  A webinar to review the findings and respond to questions is scheduled for Wednesday, August 20, 2014 at 2 PM EDT.  Register here.

The Investor Responsibility Research Center Institute is a nonprofit research organization that funds academic and practitioner research that enables investors, policymakers, and other stakeholders to make data-driven decisions.  IRRCi research covers a wide range of topics of interest to investors, is objective, unbiased, and disseminated widely.   More information is available at www.irrcinstitute.org.

 

PwC’s Investor Resource Institute

Through the Investor Resource Institute, PwC strives to provide insights to, and recieve insights from, the investment community.  We offer our views on accounting, auditing, corporate reporting, data security, and a myriad of other issues; as well as transparency about what we do that may be of interest to investors.  We host events large and small, that are designed to strengthen the bridge not only between PwC and the investment community, but also between investors and others.

 

About PwC US

PwC US helps organizations and individuals create the value they're looking for. We're a member of the PwC network of firms in 157 countries with more than 184,000 people. We're committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/US. Gain customized access to our insights by downloading our thought leadership app: PwC's 365™ Advancing business thinking every day.

Learn more about PwC by following us online: @PwC_LLP, YouTube, LinkedIn, Facebook and Google +.

© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC US refers to the US member firm, and PwC may refer to either the PwC network of firms or the US member firm. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.