Investors Financial Reporting Lab Digital Security Risk Disclosure

Digital Security Risk Disclosure

Introduction

Digital systems, processes and data and therefore digital security risk is fundamental to business continuity, resilience and value creation. Reporting on these areas should provide relevant information to investors and other stakeholders to assist them in assessing a company’s ability to remain viable and resilient.

This report is designed to be of use to reporting teams, risk teams who are involved in reporting and for audit committees who review the resultant disclosures.

It focuses on disclosure relating to digital security risk that can be optimised to provide users with useful information. It does not cover what controls a company should have or what general requirements around risk disclosure should be. However, it does refer to government guidance on actions that companies should take.

Companies can improve disclosures by focusing on aspects of strategy, governance, risk and events. The report is supported by a separate detailed example bank providing a number of practical examples to help companies improve their disclosures. It also provides potential questions for boards and audit committees to consider.

Mark Babington, Executive Director of Regulatory Standards at the FRC, said:

"Every company is now digital, so providing useful, relevant and focused disclosure on digital security is critical. Investors need transparency in this area, and this report provides a key resource for companies looking to achieve this."

During the project, the FRC was supported by technical experts from DCMS, NCSC and BEIS.

Digital Minister Matt Warman said:

"We're investing £2.6 billion through our National Cyber Strategy to make our digital economy more secure. But as this report shows, businesses can do more to bolster their online defences and improve transparency and reporting around cyber security.

"There is help available so I urge firms to follow NCSC guidance on strengthening their cyber security capabilities so they are in the best position to protect themselves and their customers."

Publications

In addition to the full report and example bank, a summary of the key findings is also available.