Research by the Centre for the Law and Economics of Cybersecurity (CLECS) and the International Centre for Financial Law and Governance (ICFG) at Erasmus School of Law shows that many listed companies in the Netherlands are still not disclosing enough about their cyber security and what steps they are taking. This information is important for investors and other stakeholders, as they need to know what cyber risks these companies face. Rens Hoogerwaard, researcher at CLECS, talks about this in Financieele Dagblad.
In their annual reports, companies listed on the AEX, AMX and AScX tell little about how much money they spend on protection against cyber attacks, what concrete measures they take and the extent to which they are at risk of being hacked. Since 2019, CLECS has been examining the above companies. In doing so, they pay attention to internal governance, external communication and risk analysis by these companies.
One problem is that there is no uniformity in the way companies report on cybersecurity. Hoogerwaard also notes this: ''We see, for example, that most of the measures are only mentioned by one company, probably because each company uses its own terminology. That makes it difficult to compare companies." In addition, no company shares how much they spend on security, which is something Hoogerwaard says would be possible: "Nor are we advocating that companies provide detailed information about vulnerabilities that have not yet been fixed. With sharing cybersecurity spending, we see no immediate danger."
However, improvements can be seen, according to CLECS researchers. For example, companies have begun to consider cybersecurity increasingly important in recent years, and the topic has become an important topic of conversation within corporate executives. Compared to last year, the researchers also see progress: 24% of listed companies have a director or commissioner with a focus on cybersecurity. Last year the figure was 20%.
