Cybersecurity is an essential topic in the social debate. More and more companies are expressing themselves about the measures they are taking to guarantee digital security. Bernold Nieuwesteeg, director of the Centre for the Law and Economics of Cyber Security at Erasmus School of Law, and Eva Eijkelenboom, Assistant Professor of Commercial, Corporate & Financial Law at Erasmus School of Law, has published the Cyber Security Annual Report (CSAR) Index. This showed that less than 1 in 5 companies surveyed, have a director or supervisory director with cybersecurity as one of it’s focus.
Increasing Transparency
In general, transparency about cybersecurity has increased. 36 companies report six or more specific cybersecurity measures, compared to only four companies in the CSAR index of 2020 (Ahold, Unibail-Rodamco, Akzo-Nobel and Van Lanschot). Of the listed companies, Post-NL, Wolters Kluwer and Prosus share the most extensively about their cyber policy. Transparency has also increased significantly in the annual reports. Almost half of companies lacked cybersecurity information in 2020. Now, this is only the case for ten percent of listed companies.
Compulsory IT audit
Although transparency is increasing, cybersecurity does not yet seem to be the focus for many companies. The annual reports show that only one in five companies surveyed has a director or supervisory director who has cybersecurity as a focal point. The CSAR Index 2021 shows that acurrent discussion about mandatory IT audits could be an excellent contribution. Recently, the plan for an annual audit has been heavily criticized by cybersecurity officers. The recent plea from IT auditors is that there should be more transparency about cybersecurity. The CSAR Index shows that the market is rapidly becoming more transparent regarding cybersecurity.
Impact of cyber attacks
The impact of non-optimized (digital) security has dominated the news for years. Ransomware attacks at Colonial Pipeline and Kaseya were a hot topic last summer. Therefore, it is striking that there are significant differences in the degree of transparency about cybersecurity, especially because investors are increasing, including a company's cyber risks in their investment decisions.
Trickle-down effect
According to a study, the differences can be explained by the lack of an obligation to provide transparency regarding cybersecurity in the annual reporting. Despite the lack of legislation, Nieuwesteeg and Eijkelenboom believe that the advantages of transparency outweigh the disadvantages. Although transparency about cybersecurity does not have to correspond to the actual level of cybersecurity, this is the information on which investors base their decisions. In addition, transparency about and attention to cybersecurity can create a trickle-down effect, making the entire organization more aware of cybersecurity risks.
Corporate cybersecurity measures vary
92 percent of the listed companies in the AEX, AMX and AScX index provide specific information about cybersecurity measures. this is a significant improvement from the 53 percent in 2020. For example, the companies talk about the appointment of an Information Security Officer, internal rules that apply and the organization of cybersecurity awareness campaigns and workshops.
About the Cyber Security Annual Report index
The Cyber Security Annual Report index collaborates with the Centre for the Law and Economics of Cyber Security (CLECS) and the International Centre for Financial Law & Governance (ICFG), Erasmus School of Law. Both centres organize high-quality applied and fundamental research. *The CSAR index 2020 analyses the annual reports for 2018, while the CSAR index 2021 analyses the annual reports in 2020. The 2022 CSAR Index will scrutinize the 2021 annual reports.
- Researcher
- Assistant professor
- More information
Click here for the publication of the CSAR index.