13 May 2024 — Stories

Cyber security: the next frontier for reporting

Cyber security: the next frontier for reporting

Gustav Ceder is an independent cybersecurity consultant and communication strategist based in Sweden. He works with companies, including SMEs, to help them identify, mitigate and communicate cyber risks and other strategic matters.

Could you elaborate on how cyber incidents can be a threat to companies?

You see in movies how the main character’s computer screen suddenly goes black then a message appears reading:  

Well, you are here, it means that you’re suffering from a cyber incident right now. Your files have been encrypted. To regain access, you must pay a ransom within 72 hours. Failure to comply will result in permanent loss of your data.

These kinds of incidents actually happen every day across Europe. We are living in a world that is more volatile, uncertain and complex, where it is quite common that your employer, client or a company you have invested in has been hit by a cyber breach.

However, most people don’t hear about these incidents. According to the Swedish police, for example, less than 3% of Nordic companies report cyberattacks. This is another pattern that we don’t only see in Europe but also worldwide.

Cyber incidents are happening frequently, but they are often not reported?

Indeed, according to the World Economic Forum’s 2024 risk report, cybersecurity is ranked as the fourth largest material risk for businesses on a 2-year horizon. As a comparison, extreme climate events rank as the second biggest risk.

While there is a widespread consensus on the importance of cybersecurity, the way that companies talk about it doesn’t reflect the reality.

For instance, I recently conducted a language analysis of the annual reports for the 10 largest companies on the Stockholm Stock Exchange. Overall, these companies mentioned the words “climate” and “carbon” 1278 times. Surprisingly, the word “cyber” was included only 68 times among the same reports. The striking difference is a staggering 1778%. How is it that the world’s fourth largest material risk receives 1778% less attention than the world’s second largest material risk?

Not communicating on this issue hinders innovation and improvement. Low awareness leads to fear. When employees lack awareness and are fearful, it can increase the risk of mistakes that lead to cyber incidents, such as phishing attacks or the accidental sharing of sensitive information. Customers and business partners also become uncertain about how their data is managed and protected, which can undermine their trust in the company.

Cybersecurity can generate uneasiness within organisations and hinder the open sharing of ideas, experiences and concerns. If people and companies don’t speak up on the issue, the organisation’s ability to innovate and grow is threatened.

SMEs are not Immune to cyber-attacks either; if anything, they are perceived as the weaker links in value chains from a cyber resilience point of view as they understandably tend to have less resources and workforce dedicated to cyber risk management.

What have regulators done to address this issue?

The US Securities and Exchange Commission recently introduced a new directive that requires all listed companies to report material cybersecurity incidents within four days. Moreover, all companies must report annually on their preventive work to manage cyber risks.

In the EU, the Accounting Directive requires companies to describe the fundamental risks and uncertainties that a company faces. However, there are no specific directives or guidelines on how companies, regardless of industry and size, should report on their cyber risk mitigation work or disclose material incidents to stakeholders. This creates a grey area for companies, customers, and investors alike.

So how should companies tackle this issue?

One way forward is to incentivise best practices on cyber security disclosures that are more material, educational and focus on the value-creating narrative. Beyond simply complying with cybersecurity standards, companies should integrate cybersecurity into their broader  corporate and sustainability narrative, thereby enhancing value creation.

Accountancy Europe believes that for SMEs, to begin is what’s most important, even if the initial challenge seems overwhelming. What would be your advice to small businesses?

Transparency is key to building trust, the cornerstone of any business, including SMEs. Enhancing transparency regarding cybersecurity can begin with simple steps. One good example is to focus on the company culture and to implement the necessary measures to create an internally strong and safe workplace environment where everyone feels safe to flag cyber incidents – even if they result from a human mistake.

See Accountancy Europe’s Cyber resilience checklist (2022) for smaller companies.

Some simple first questions to help SMEs get started could be:  what cybersecurity training have your employees completed? How well is the company implementing basic cyber security practices, such as phishing resistant authentication? How is the company ensuring data privacy? What is the company’s ethical stance on paying ransomware to international organised crime?