Subodh Mishra is Global Head of Communications at Institutional Shareholder Services (ISS) Inc. This post is based on an ISS Corporate Solutions memorandum by Liam Hardy, Senior Associate, ISS Corporate Solutions.
Digital technology impacts businesses in myriad ways. The internet enhances the interconnectedness of people, systems, and processes, leading to added value for the products and services that make up economic activity. At the same time, this dependency exposes corporate issuers to an increasing amount of information security-related risk, raising alarm among stakeholders. Strong oversight to help mitigate this risk is becoming critical to the health of corporations and thus is viewed increasingly as a key governance issue. Such oversight should be structural and rooted in a company’s leadership and organizational design, including the board. While disclosure trends suggest that businesses are closing the gap with expectations, many companies may find areas for improvement.
Good information security oversight should seek to reduce a company’s potential risk of harmful economic outcomes. Cybersecurity breaches can cause widespread damage to operations, resulting in significant costs and damages.[1] The heightened threat of a breach has spurred greater scrutiny of companies’ programs and practices from proxy advisors, regulators, and investors. As a result, companies are building into their disclosures more comprehensive reporting of mitigation efforts. The Securities and Exchange Commission (SEC) announced new rules in July 2023, requiring public companies to disclose their information security risk management strategies and governance practices annually, and quickly report any material cybersecurity incidents (see ISS Insights: SEC Cybersecurity Rules Set New Hurdles for Public Companies).[2] As these mandates come into effect, businesses should consider not only how to comply with the new rules, but also how they can best demonstrate robust information security governance.