14 May 2024

Accountancy Europe's Ceder: Cyber security: the next frontier for reporting

Cyber incidents are happening frequently, but they are often not reported? Indeed, according to the World Economic Forum’s 2024 risk report, cybersecurity is ranked as the fourth largest material risk for businesses on a 2-year horizon...but extreme climate events rank as the second biggest risk.

Could you elaborate on how cyber incidents can be a threat to companies?

You see in movies how the main character’s computer screen suddenly goes black then a message appears reading:  

“Well, you are here, it means that you’re suffering from a cyber incident right now. Your files have been encrypted. To regain access, you must pay a ransom within 72 hours. Failure to comply will result in permanent loss of your data.”

These kinds of incidents actually happen every day across Europe. We are living in a world that is more volatile, uncertain and complex, where it is quite common that your employer, client or a company you have invested in has been hit by a cyber breach.

However, most people don’t hear about these incidents. According to the Swedish police, for example, less than 3% of Nordic companies report cyberattacks. This is another pattern that we don’t only see in Europe but also worldwide.

Cyber incidents are happening frequently, but they are often not reported?

Indeed, according to the World Economic Forum’s 2024 risk report, cybersecurity is ranked as the fourth largest material risk for businesses on a 2-year horizon. As a comparison, extreme climate events rank as the second biggest risk.

While there is a widespread consensus on the importance of cybersecurity, the way that companies talk about it doesn’t reflect the reality.

For instance, I recently conducted a language analysis of the annual reports for the 10 largest companies on the Stockholm Stock Exchange. Overall, these companies mentioned the words “climate” and “carbon” 1278 times. Surprisingly, the word “cyber” was included only 68 times among the same reports. The striking difference is a staggering 1778%. How is it that the world’s fourth largest material risk receives 1778% less attention than the world’s second largest material risk?

Not communicating on this issue hinders innovation and improvement. Low awareness leads to fear. When employees lack awareness and are fearful, it can increase the risk of mistakes that lead to cyber incidents, such as phishing attacks or the accidental sharing of sensitive information. Customers and business partners also become uncertain about how their data is managed and protected, which can undermine their trust in the company.

Cybersecurity can generate uneasiness within organisations and hinder the open sharing of ideas, experiences and concerns. If people and companies don’t speak up on the issue, the organisation’s ability to innovate and grow is threatened.

SMEs are not Immune to cyber-attacks either; if anything, they are perceived as the weaker links in value chains from a cyber resilience point of view as they understandably tend to have less resources and workforce dedicated to cyber risk management.

What have regulators done to address this issue?

The US Securities and Exchange Commission recently introduced a new directive that requires all listed companies to report material cybersecurity incidents within four days. Moreover, all companies must report annually on their preventive work to manage cyber risks...

 more at Accountancy Europe

© Accountancy Europe