Cyber researchers from Rotterdam critical of the disclosure of cyber security from exchange companies

In their annual reports, companies listed on the AEX, AMX and the AScX explain little about how much money they spend on protection against cyberattacks, what measures they have taken or the extent to which they risk being hacked. Since 2019, the CLECS has researched the above-mentioned companies. They focus on these companies' internal governance, external communication and risk analysis.

Unity and transparency

One of the problems is that the companies do not use an unambiguous way of reporting their cybersecurity. Hoogerwaard concludes that as well: "We see, for example, that the majority of measures is just mentioned by a single company, probably because every company uses its own terminology. That makes it hard to compare these companies." In addition, there is not a single company that shares how much they spend on security, which should be possible, according to Hoogerwaard: "We do not want to plea for companies to share detailed information about their unsolved vulnerabilities. However, sharing their cybersecurity spending should not be dangerous."

Nonetheless, there are some visible improvements according to the researchers of the CLECS. For example, companies care more and more about cybersecurity and the subject is an essential topic of conversation within top management. Compared to last year, the researchers also see an improvement: 24% of the listed companies have a board member or a commissioner focused on cybersecurity. Last year, this was 20%.