That tells investors nothing about how a company would handle the growing threat of ransomware attacks or hackers exploiting vulnerabilities in a third-party supplier, explains Kevin Gronberg, vice president of policy and government affairs at SecurityScorecard.
SecurityScorecard commissioned the report alongside the nonprofit Cyber Threat Alliance, the National Association of Corporate Directors, software company Diligent and analytics company IHS Markit.
“We’re not looking for companies to give a road map to the crown jewels, but we are looking for more granular [details] and more candor in their annual reports with regard to the cyber risk that they are facing,” says Gronberg.
The report focuses on concerns with how firms are interpreting SEC guidance.
With some exceptions in the finance and health industries, most American companies are not required to report breaches to the government or customers.
However, the SEC issued guidance in 2018 that publicly traded companies should disclose “material cybersecurity risks and incidents in a timely fashion” to investors, weighing factors such as financial risk to investors and the importance of any compromised information….