Cyber security threats continue to increase each year, and with each increase, corporations are facing billions of dollars in mitigation and cleanup procedures. Last year, companies spent $86 billion for cyber security and protection efforts. These costs are passed to consumers, but the expenses should also be reported to investors.
The issue corporations face is when to report these expenses. Hackers threaten corporations daily. Some threats are small and easily mitigated while others cause millions in repairs including customer relations and brand trust lost after data theft. The logistics and procedures overwhelm investors who usually don’t understand the importance of cyber security and the need for updated software and monitoring systems each year.
What’s even more threatening is insider threats. Security specialists spend money mitigating threats from the outside, but it takes more effort and high-end software to monitor insider threats. These are also the threats that cost corporations millions. They can be the most long-lasting and hurt the brand for years afterward.
After the threat is contained and loss is evaluated, the corporation must decide when it’s time to disclose a successful attack to investors. The small attacks are usually mitigated with little effort, but larger more expensive attacks should be disclosed to investors as an expense. This could be on a quarterly expense report or during yearly reviews.
Investors don’t normally have the technical savvy to understand the details and specifics related to a cyber attack. This can be a challenge for the security advisor or CTO who is responsible for disclosing high-end costs to investors who want to know when high costs occur but don’t understand the details of hacking and threats.
Companies are only now realizing the damage threats can do to the bottom line. IT security is usually costly, and now insider threats are also a primary concern. The right monitoring systems, analytics and mitigation costs should be discussed with investors to convey the importance of protecting data from both outside threats and insiders.
Security experts should convey the message to investors that security should be a proactive procedure not reactive. Reactive is much more costly and can do damages for years to come. Being proactive might cost the corporation in the beginning, but the cost associated with fixing the damage after the fact is much more severe. These costs should be disclosed to investors as part of important operating costs.