A real risk but they cannot tell us about it

One real risk relates to cyber security. Companies today cannot survive without adequate cyber protection. This risk gives them a chance to spray buzzwords in their risk statement, to fill out its importance and to show how serious it really is.

The list is long:

‘cyber attack, malicious intrusion, breakdown, destruction, loss of data privacy, target of malware, hacking, data leakage, invasion, corruption of data, security breaches, disruption, degradation or breakdown.’

Here is an example:

“Breaches of data security, disruptions of information technology systems and cyber threats could result in financial, legal, business or reputational harm. “

And then comes the inevitable ‘BUT’. Despite all our efforts: ‘there can be no assurance that our measures and efforts will prevent future attacks.’

Having announced the risk then what? Understandably none of the companies give us information or assurance on the state of their defences. Anything specific would help the hackers. The risk is left hanging there for the investors and readers to worry about. They do not give us any information we didn’t know before reading the annual report. Everyone knows they operate in a threatening cyber security environment which is nothing but business as usual.

However this risk does not depend only on management’s cyber protection. Even if the protection is robust hackers may get in and here the impact can lead to bankruptcy. So companies only know how good their defences are after an attack, and even then they rarely tell us about it.