• No results found

The Cyber Disclosure Trend of Listed Dutch Organizations: an Exploration

N/A
N/A
Info
Downloaden
Protected

Academic year: 2021

Share "The Cyber Disclosure Trend of Listed Dutch Organizations: an Exploration"

Copied!
16
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Download het nu ( 16 pagina )

Hele tekst

(1)

The Cyber Disclosure Trend of Listed Dutch Organizations:

an Exploration

SUBMITTED IN PARTIAL FULLFILLMENT FOR THE DEGREE OF MASTER

OF SCIENCE

Edward Gubler

10536892

M

ASTER

I

NFORMATION

S

TUDIES

Information Systems

F

ACULTY OF

S

CIENCE

U

NIVERSITY OF

A

MSTERDAM

Date of defence

03-07-2019

1st Examiner 2nd Examiner External Supervisor

prof. dr. T.M. (Tom) van Engers R. (Ralph) Koning MSc Ir. Peter Kornelisse MSc Faculty of Science, UvA Faculty of Science, UvA Technology Risk, EY

(2)

ABSTRACT

The importance of cybersecurity is increasing due to the increasing number of cyber threats. Both organizations and IT auditors need to increase their attention on rising cyber risk. In this study, the disclosure of cyber risk in annual reports of listed Dutch organiza-tions of 2018 is compared with IT auditor forms that measure cyber risk, with annual reports of listed US organizations of 2018, and with annual reports of the same Dutch organizations of 2015. This way, it can be determined if Dutch organizations are increasing their cyber risk reporting, and if Dutch organizations are ahead or behind of US organizations in regard to cyber reporting. Since the USA has legislation to enforce cyber disclosure by organizations, it is interesting to see if this actually has a signi�cant impact on cyber risk reporting. Also, a framework is presented with the most commonly mentioned cyber actors, cyber threats, cyber-related risk-in�uencing factors and cyber-related (inherent) business risks in recent literature. Content analysis is done to see how often ele-ments in this framework are mentioned by organizations and by IT auditors. In the end, this study concludes that Dutch organizations are increasing their cyber risk reporting and do not seem to be behind on US organizations. Also, Dutch organizations are quite transparent according to the found results.

KEYWORDS

Cyber, Cyber Risk, Cyber Threats, Cyber Security, Cyber Disclosure, Disclosure Transparency

1 INTRODUCTION

Cybersecurity is becoming more important by the day due to the increasing development of electronic commerce [38]. One of the many ways in which cybersecurity can be de�ned as is the body of technologies, processes, and practices designed to protect networks, host systems, applications and information from compromise and support the resiliency of the system to recover from attacks [22].

Organizations are increasing their investments in cybersecurity due to the increasing cyber threats which consequently can lead to business-critical risks. Another explanation is the fact that many governments have taken action to force a higher level of cyberse-curity onto organizations. Governments do this because of the fear that some organizations are still under-investing in cybersecurity [31]. The recent cyber attack in 2017 on A.P. Moller-Maersk shows that the consequences of cyber attacks can be quite catastrophic, both operationally and �nancially [39].

In addition, the recent implementation of the General Data Pro-tection Regulation (GDPR) within the EU has an in�uence on the pressure that is put on the cybersecurity of organizations. Organi-zations risk a �ne for non-compliance with the GDPR regulation which can reach a maximum of 20 million euros or 4 percent of the worldwide revenues, depending on which one of the two options results in the highest amount [85]. In this way, not complying with the GDPR can be dangerous for the continuity of organizations and consequentially become a business-critical risk for organizations [29].

Moving parts of the IT infrastructure to the cloud seems like a solution that can decrease certain business risks, but this is not always an improvement. Some bene�ts of moving certain business processes to the cloud, which can also decrease business-critical risks, are the saving of costs, improving e�ciency, enhancing agility, gaining more �exibility and scalability, and improving environmen-tal sustainability. Risks that may be increased by implementing

cloud computing are weaker outsourced protection of security and privacy. Cloud computing can also be challenging to performs au-dits on because cloud computing is still a relatively new technology with no established (IT) audit standards. Another reason why cloud computing can be harder to audit is that cloud computing can be relatively complex [15]. These are just a few examples of the many developments happening in the cyber domain.

It is clear that both organizations and IT auditors should be aware of the increasing impact of cyber threats on organizations. Dutch IT auditors need to comply with NV COS315. The NBA is created by the Royal Dutch Professional Association of Accoun-tants and therefore binds all accounAccoun-tants and IT auditors to take the NBA legislation into account. The legal basis for the NV COS315 is found in the ISA315, which is the international standard for this legislation [40]. Both the ISA315 and the NV COS315 compel orga-nizations to take into account the risks that are the probabilities of loss based on the nature of an organization’s business [57], which can be applied to �nancial misstatement. Cyber threats can cause such risks as well and therefore auditors can no longer ignore cyber threats while performing audits.

For this study, the focus lays on the inherent business risk with-out taking mitigating measures into account. It can be interesting to determine if organizations take cyber risks as serious as IT au-ditors, or if there is a clear gap between these two parties that are involved in cyber. Also, determining which cyber-related (inherent) business risks, cyber-related risk-in�uencing factors, cyber threats, and cyber actors are currently the most present for both parties can be of use in this rapidly changing environment. The result of this can be compared with the most recent literature regarding the cyber domain. Comparing the way Dutch organizations and US organizations report cyber in their annual reports can determine if the US legislation that makes reporting cyber incidents mandatory has had any in�uence on the extent of cyber reporting of US orga-nizations in their annual reports. Finally, a clear di�erence between the view on the cyber risk of the auditor and the publicly available annual report of the organization can also give a good indication of the transparency of organizations in regard to cyber disclosure. In the end, a current picture will be presented regarding the disclosure of cyber details by listed Dutch organizations in comparison with the USA disclosure results and with past disclosure results.

2 RELATED WORK

To determine which cyber actors, cyber threats, cyber-related risk-in�uencing factors, and (inherent) cyber-related business risks are currently the most acknowledged among IT auditors and organiza-tions, a number of commonly mentioned cyber risks in literature is �rst presented to create a framework of various cyber actors, cyber threats, cyber-related risk-in�uencing factors, and cyber-related (inherent) business risks. According to the US Cybersecurity Mag-azine in 2019, there are 10 key threats, actors or risk-in�uencing factors related to cybersecurity for organizations [50]. Some of these cyber threats, cyber actors and risk-in�uencing factors are inseparably connected with each other. Not all threats, actors, fac-tors and business risks presented in the following subsections are directly derived from Cybersecurity Magazine. All are however de-rived from recent literature to be able to create a current framework. Also, the registered cybersecurity incidents from the National Cy-ber Security Centrum (CSBN) of the Netherlands can give insight into current trends regarding cybersecurity [58].

(3)

At the end of this section, the current trend of cyber reporting by organizations will be discussed.

2.1 Cyber Actors

Di�erent kinds of actors that can cause cyber damage mainly di�er based on their motives. The types of attacks can be the same, but generally, the impact di�ers between distinct actor types[11].

2.1.1 Hackers.

The red line through actors that can increase cyber risk is, logi-cally, hackers. Hackers are probably the best-known form of cyber actors and can be the cause of a lot of the cyber threats that are described in this research later. Not all hackers are actually cyber-criminals. There are many "white-hat" or "gray-hat" hackers that do not (solely) perform hacking with criminal purposes but also to discover weak spots in cybersecurity of organizations that can then promptly be �xed [73]. The most dangerous type of hacker is a hacker that exposes a cyber hacking tool to the public, which can be utilized by anyone with even limited computer knowledge [83]. because of this, organizations should always be aware of the latest public hacking tools if they want to be able to defend the organization against these tools. Other forms of cyber actors are often a type of hacker as well.

2.1.2 Criminal Organizations.

Hackers can be a member of criminal organizations if the goal of the hacker is to enrich the criminal organization by performing hacks. This subsection only addresses pro�t-driven criminal organi-zations. Phishing and malware attacks are common forms of cyber attacks that are often driven by potential pro�t for the attacker [52]. Targets of criminal organizations that are pro�t-driven are often organizations that are in the �nancial sector [47].

2.1.3 Cybervandals.

In contrast to general cybercriminals, cybervandals do not dam-age or destroy data or IT-infrastructure of organizations for �nan-cial reasons, but mainly because they enjoy causing the damage. It is also possible that cybervandals perform cyber attacks to gain more renown within a group of hackers. Commonly used meth-ods to perform cybervandalism are (Distributed-)Denial-of-Service (DDoS) attacks and the destruction of data [16].

2.1.4 Cyber Terrorists.

Cyber terrorism is a growing threat to the world and a�ects the lives of millions of people every day. Cyber terrorism can target a single person, an organization or even entire governments at the same time [23]. A small group of terrorists can, with the help of information technology, cause su�cient damage in the form of disruption of infrastructure, �nancial loss, psychological damage [35] to humans and in the most extreme case loss of human lives [6]. Since cyber terrorists attack (government) organizations as well, it is important that potential targets of cyber terrorism take this actor group into account.

2.1.5 Insiders.

Insider threats still form a great cyber risk for organizations, and might possibly even be the greatest risk of all [53]. Both actual employees and (disgruntled) former employees form a danger to or-ganizations [30]. Two types of insider threats can be distinguished; the �rst group consists of insiders that intend to use their privileged access for malicious reasons. The second group consists of insiders that form a threat to the organization by accident, which makes them non-malicious, but in general even more dangerous [61]. A well-known form of non-malicious insider threats is becoming a victim of (spear) phishing.

The Principle of Least Privilege can be applied to protect the organi-zation better against active employees [28]. Clear cyber policies and cyber risk training can reduce the risk caused by active employees as well [34]. Swiftly revoking the access rights of former employees is of great importance, since there are numerous cases of former employees that tried to harm their former employer [68]. The re-voking procedures should be an integral part of the IT policies of every organization.

2.1.6 Hacktivists.

Hacktivists, sometimes hard to distinguish from cyber terrorists [79], are protesters against the political regime, speci�c organi-zations or a speci�c individual, who utilize computer hacking to spread their message all over the world with the help of the internet [1]. Often this is not only limited to spreading their message, but also consists of an attack on the political regime, an organization or an individual that is the target of the hacktivists.

2.1.7 Nation-states.

Warfare between nation states is not only fought in real life com-bat, but also in the form of cyber warfare. Since nation-states can target important organizations of con�ict nation-states as well, the danger of other nation-states should be considered by organizations as well [19].

2.2 Cyber Threats

The actors mentioned above can perform several types of cyber attacks, all with di�erent outcomes. In this subsection, the attacks that are used most according to recent literature are addressed.

2.2.1 (Distributed-)Denial-of-Service A�acks.

A popular tool among hackers and other people who want to disrupt the network infrastructure of an organization is the use of Distributed-Denial-of-Service (DDoS) attacks. The basis for this attack is derived from a standard Denial of Service (DoS) attack, which is just a single computer attacking a server by sending a lot of requests to the server [82]. The distributed variant uses multiple devices to attack a server by �ooding it with too many packets. This can be done by a hacker that creates a botnet of badly protected devices, or by a planned attack by multiple people utilizing their own devices at the same time [81]. Both people and organizations connecting all kinds of badly secured devices to the internet can result in a huge botnet of these devices that can unknowingly and unwillingly perform a DDoS attack on any organizations’ server [4]. CSBN mentions (D)DoS attacks as well in the categories of most registered cyber incidents. With 8% of the incidents being (D)DoS attacks, these attacks cover quite a large portion of all cyber incident registrations.

2.2.2 Malware.

Malware attacks are breaches in a system where malicious soft-ware programs become active without the knowledge of the user. Malware attacks on the network level of an organization can have a considerable impact on the IT infrastructure of an organization. For instance, a CryptoLocker ransom malware (ransomware) program can encrypt a lot of important �les on an organization network and can demand a certain amount of money, which is in general paid for in cryptocurrency. After payment, the organization is still not sure if the encrypted �les will be decrypted again by the Cryp-toLocker [48]. Backups of these network layers of an organization are a good form of resilience against such an attack [76], but pre-venting these kinds of attacks would always be better than cleaning up afterward. Common tools for this are virus scans, but malicious software developers are always a step ahead of security software

(4)

providers because security software companies create their anti-virus software as counter software against malware [18]. According to CSBN, 22% of the registered cyber incidents over the year 2018 in the Netherlands concerned malware infections, which makes it one of the biggest concerns of all cyber threats [58].

2.2.3 (Spear) Phishing.

Phishing is a social engineering attack where insiders of an organization are seduced by the attacker to fraudulently hand over sensitive data, where the attacker acts like a trustworthy party or individual, which in the end results in damage to the organization and in most cases enriches the attacker [13] [42]. Where general phishing e-mails are sent in large numbers to all kinds of e-mail addresses and contain more generic information, Spear phishing targets only a single person or a selection of people and adjusts the content to the speci�c receiver(s). These better-aimed attacks tend to be more successful because they appear more trustworthy than generic phishing e-mails [14]. Training employees can reduce the chance of employees falling in the trap of phishing [32]. according to the CSBN, 28% of the registered cyber incidents in the Netherlands over the year 2018 was some form of phishing, which makes it the biggest cyber threat category [58].

2.2.4 Man-in-the-Middle A�acks.

While encrypted data is communicated between two parties, it is still possible for another party to eavesdrop on the commu-nication. The unwanted party can intercept the communication medium the parties are using and later decrypt the data that is communicated. This is called a Man-in-the-middle attack [65]. An important detail is that the two communicating parties do not know that a third unwanted party is receiving the data as well, which means data is breached, without even knowing this is happening. If an organization uses third-party services that are not secured for communication or data transfer, it could happen that a Man-in-the-Middle attack interferes with the communication [74].

2.2.5 SQL Injections.

A danger for organizations that make use of web-based applica-tions is SQL Injecapplica-tions. A risk that is accompanied by this threat is the loss or breach of sensitive data, or even damage to the applica-tion. The data breach could include credentials for the web-based application as well [36]. The attacker sends an SQL statement as input into the application which can result in receiving data back that should generally not be accessible for the attacker [8]. A data breach or damaging web-based applications can, of course, cause damage to business processes of organizations, which is why SQL databases and web-based applications should always be secured in the best way possible.

2.3 Cyber-related Inherent Risk-In�uencing

Factors

There are multiple organizational factors that can increase or de-crease the cyber risk and therefore the cyber-related inherent busi-ness risk of organizations. Next, a number of these factors are described.

2.3.1 Dependency on (Information) Technology.

The dependency of organizations on the internet and other kinds of technology increases cyber risk as well. Organizations that make use of Supervisory Control And Data Acquisition (SCADA) systems are a good example of dependency on technology. SCADA systems are used to control and monitor infrastructures that are of great importance to whole nations, used in sectors like water or power supply, but in transportation networks as well [56]. Often Industrial Internet of Things (IIoT) is used by these SCADA systems, which

can easily be disrupted and therefore increases the risk of becoming a target of a cyber attack [27].

2.3.2 Use of Cloud.

A speci�c form of insecure third-party services is insecure In-frastructure as a Service (IaaS). More organizations are moving (a part of their) IT infrastructure to the cloud, but this, of course, brings risks as well. Not only business processes are moved to the cloud, but also more and more data. The question remains who exactly is responsible when client data is lost in the cloud. Moving sensitive data to the cloud is a risk because the security is once again outsourced to the cloud provider and not kept in-house. Also, putting data in a third-party cloud is sensitive for DDoS attacks [71] [46]. Many cloud platforms have security and authentication processes that are simply not safe enough.

2.3.3 Use of Third-party Services.

Organizations make a lot of use of third-party services which can in some cases increase cybersecurity, but the danger is organiza-tions becoming dependent on these third parties and their security measures [69]. Because of these third-party services, cyber risk is no longer just an internal IT security problem, but also external third parties and their cyber pro�le can now become a problem that needs to be addressed [51]. An example can be when a third-party which is used by an organization becomes a subject of a DDoS attack, which results in systems of the organizations not function-ing any longer. Another danger is that the third-party accidentally grants access to the wrong people, who could be part of another organization since there are normally multiple organizations that make use of a third-party service.

2.3.4 Cyber-related Regulation.

Operating in a heavily regulated sector can increase the cyber risk of an organization because successful cyber attacks can breach the compliance with regulations of organizations or reveal that organizations were not compliant in the �rst place [75]. Currently, there is no uniform international law that is active regarding cyber and cybersecurity, but especially the EU, the United States, and Asia have regulation in place to stimulate and facilitate mitigation of cy-ber risk [45]. Not complying with the legislation can result in huge �nes as mentioned earlier in the introduction already regarding the EU GDPR legislation.

2.3.5 Internet of Things.

The trend that causes the uprising of the Internet of Things (IoT), where networked objects are communicating their data that can be controlled by other objects and systems, could be a cyber risk for a growing number of organizations. When a lot of components are all connected to each other, in some cases only a single com-ponent needs to get infected by malicious software to spread to the complete components network [64]. Since the IoT is quite a recent development, cyber risk and strategies to reduce this risk have not been created and tested thoroughly yet [63]. Many orga-nizations are in a hurry to create IoT products, but some of these organizations neglect to focus on the security of these devices [43]. The National Institute of Standards and Technology (NIST) of the United States recently included Internet of Things as a cyber risk as well in their "Roadmap for Improving Critical Infrastructure Cybersecurity" [60].

2.3.6 History of Cyber A�acks.

If the sector of an organization or the organization itself has been a target of cyber attacks in the past, then the cyber risk is increased as well [10]. This risk is even higher if cyber attacks have been successful in the past. For this reason, it is necessary to look at the cyber attack history of sector peers and of the organization

(5)

itself to estimate the cyber-related inherent business risk. However, holding on to history too much can become dangerous as well since cyber is a subject that develops rapidly. The cyber-history of an organization can be an indicator of the cyber risk future of an organization, but it is not a guarantee [12].

2.3.7 Shadow IT.

Another cyber risk increasing factor is the presence of shadow IT in an organization. Shadow IT is a term that describes the use of software and hardware that is not provided by the organization, and is therefore not monitored by the IT department of an organi-zation. The tendency of organizations to let their employees bring their own devices (BYOD) to be able to work remotely introduces more cyber risks. These personal devices that are not managed and monitored by the organization are still connected to the organiza-tion networks, which can be a way to transfer malicious software to the organization network due to lack of security software [21]. At the same time, third-party cloud computing tools outside of the monitoring and the management of the organization can be used to store and share work that contains data of the organization. This makes an organization dependable on the trustworthiness and security of these third-party software providers that do not have an enterprise contract with the organization. Especially data loss is a big risk that is taken by employees in this way, without the employees really realizing they are taking this risk at all [80].

2.4 Cyber-related (Inherent) Business Risks

Cyber-related inherent business risks are the probabilities of loss based on the nature of the business of an organization, which can be applied to �nancial misstatement due to transactional errors or fraud, that are related to the IT-infrastructure of an organiza-tion. In the case of inherent risk, no mitigating measures are taken into account. Traditionally, risk management has been applied in businesses to check insurance products and instruments with a �nancial character. Nowadays, the IT infrastructure of organiza-tions requires these checks as well, since the IT infrastructure is inseparable with the �nancial instruments of an organization [72]. In the end, information security risk is an important part of the total risk of an organization. Consequently, cyber security can be seen as a form of risk management [66], but for this study, the focus is on the inherent risk without taking mitigating measures into account. Several related factors can increase the cyber-related inherent business risk of an organization, These risks will be presented in this subsection.

2.4.1 Unintentional disclosure of Data.

A data breach is probably one of the most well-known cyber-related business risks. A data breach can be described as the in-tentional or uninin-tentional release of sensitive, con�dential or per-sonal information to an untrusted party or individual [20]. Data breaches are a very serious problem. For example; there were 450 data breaches recorded in the health sector in the USA in 2016 [59]. Leaking sensitive data, like health data, to for instance health insurance parties, could be catastrophic for the data subjects [2]. Considering these cases are only covering the incidents that have been recorded within the USA healthcare sector, the global danger of data breaches is huge. Losing sensitive or personal data of clients can be even more of a risk nowadays. Especially since the GDPR went into force, which as stated before, could lead to enormous �nes for organizations, and threaten continuity of the organization [85]. Not only the GDPR �nes are a risk, since the corporate repu-tation of an organization could also su�er, which in turn can cost

an organization both investors and clients when losing sensitive or personal data [70].

2.4.2 Data Loss.

The loss of data is a cyber risk as well. If not backed up correctly, important data can get lost without the possibility of regaining the data. In this case, the damage or disappearance of data is being addressed. This can hurt business processes and become a critical business risk as well [54]. Storing data in cloud solutions, provided by third parties, can increase the risk of data loss [49], but could in fact also decrease the risk [17] if the party is trustworthy. Shadow IT can increase this risk as well since no backups are made of per-sonal devices by the IT department of an organization [9]. A threat that often causes data loss is malware in the form of ransomware, where a cryptolocker encrypts �les and does not decrypt the �les afterward. This can result in a loss of data [26].

2.4.3 Reduced Business Performance.

A cyber attack damaging a part of the IT processes can in some cases indirectly damage other parts of the IT processes as well because parts of the IT systems of organizations can be dependent on each other [67]. An example is the dependency of factory au-tomation on industrial IoT. Only a single device of the IoT of an organization has to become subject to a cyber attack, which could spread to the other devices in the network, which could conse-quently damage the complete network [37].

Failure or reduced availability of IT processes can result in inter-rupted business processes, which can reduce production capacity and reduce the business performance of an organization. In the most severe case, the production of an organization can be com-pletely blocked. Consequently, this can form a danger for business continuity. Thus, reduced business performance can be classi�ed as a critical business risk [78].

2.4.4 Reputational Harm.

Becoming a subject of succeeded cyber attacks can result in reputational harm as well [5]. The reputation can be damaged so badly due to cyber attacks that it can even end being irreparable [84]. The loss of a good reputation can escelate into a critical business risk once clients lose their trust in an organization [62][33]. Trust can, for instance, be lost once sensitive client data is breached, which makes it less likely that (new potential) clients will trust the organization with their sensitive data in the future [3].

2.5 Organizational Cyber Reporting

In some countries over the world, including the USA, it is already mandatory for oranizations in some sectors to disclose severe cases of cyber incidents and unintentional disclosure of (client) data. The disclosure of such information can either be to the data subjects or the mass public, or to government authorities that are institution-alized for these kinds of matters. Some of the laws that force this behavior are the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Gramm-Leach-Bliley Act (GLBA) of 1999 and the Federal Exchange Data Breach Noti�cation Act of 2015 [24]. In the Netherlands, reporting cyber risk in annual reports is completely self-determined by the organizations. It is however common to inform (potential) investors of actual business risks, which could be related to cyber risks as well.

A challenge that arises when organizations need or want to in-form their (potential) stakeholders of cyber incidents, for instance through annual reports, is that organizations also give away their vulnerabilities to potential cybercriminals [25]. Even if organiza-tions would want to be very transparent regarding their cyber risk towards stakeholders and (potential) investors, it could open doors

(6)

for cybercriminals as well. By exposing cyber risks and the sub-sequent monitoring and mitigating resources, cybercriminals can determine vulnerabilities and make malicious use of these insights [7].

3 RESEARCH QUESTIONS

Analyzing the reporting of cyber risk and other cyber-related de-tails can probably give a good view of the current cyber pro�le of Dutch Organizations. Looking into the possible alignment be-tween IT auditors and these Dutch organizations could make this insight into the cyber pro�le of Dutch organizations more clear. Based on the recent literature �ndings and the available materials to investigate these matters, the following research questions were constructed.

Main question: How are listed Dutch organizations performing in regards to the disclosure of cyber details in annual reports?

Sub question: Which cyber actors, cyber threats, cyber-related risk-in�uencing factors, and cyber-related business risks are most com-monly referred to by organizations and IT auditors?

sub question: Which cyber actors, cyber threats, cyber-related risk-in�uencing factors, and cyber-related business risks have the most disparity in occurrence between organizations and auditors?

Sub question: Is there a di�erence between US organizations and Dutch organizations regarding cyber details disclosure?

sub question: Has the disclosure of cyber details by Dutch listed organizations increased between 2015 and 2018?

4 METHODOLOGY

4.1 Data Subjects

The �rst data subject is the subject of 3 out of 4 data sources used in this study. This data subject consists of 15 listed Dutch organiza-tions. These 15 organizations are the same for all three of the data sources referred to above.

The second data subject is derived from the EY cyber disclosure benchmarking study where US annual reports were cyber risk disclosure was measured. This group consists of 79 Fortune 100 organizations based in the USA over the year 2018. The di�erent data sources will be described in more detail in the "Materials" section. An overview of all data sources can be found in table 1.

4.2 Design

The design of this study can be categorized as non-experimental cross-sectional research. The study is non-experimental because data subjects were not randomly assigned to di�erent conditions and the predictor variables were not controlled or manipulated [44].

4.3 Materials

There are 4 di�erent data sources that together form the material used in this study. An quick overview of these data sources can be found in table 1.

Several disclosure topics within the categories of board over-sight, statements on cybersecurity risks and risk management have already been benchmarked before for 79 Fortune 100 companies over the year 2018 [25]. These various disclosure topics are in the text referred to under the name "disclosure categories". The data of

this benchmarking study is used to compare the cyber reporting in annual reports between US organizations and Dutch organizations and is the �rst data source.

The second data source consists of publicly available annual reports of listed Dutch organizations of the year 20115. The bench-marking scheme provided by EY[25] is used as well to collect the data for the Dutch organizations, since only data for the US organi-zations was already available. The data format of both the US and the Dutch data is binary, which means each data point is either a "1" (present) or a "0" (not present) regarding a speci�c type of disclosure. Content analysis is used to derive useful data from the text of the annual reports in addition to the benchmarking results. This useful data can exist of the mentioning of speci�c cyber actors, cyber threats, cyber-related risk-in�uencing factors, and cyber-related business risks.

The third data source is exactly the same as the second data source, except for the fact that the reports are not about the �nancial year of 2015, but about the �nancial year of 2018.

The fourth data source is derived from the accountant, Ernst Young (EY), and consists of cyber risk forms of the same Dutch organizations which are also the subject of the used Dutch annual reports mentioned above. These forms are about the �nancial year of 2018 as well. There is a basic structure of the form that is used by the auditor, but how to interpret the questions in the form and in how many words answers are given in the form are up to the auditor. The exact structure of the form cannot be provided in this study because this is con�dential.

All organization names are coded and anonymized because the audit forms are con�dential.

Data Source N

Mean cyber disclosure values US organizations 2018 79 (same) listed Dutch Organizations Annual Reports 2015 15 (same) listed Dutch Organizations Annual Reports 2018 15 IT auditor Forms of (same) listed Dutch organizations 2018 15 Table 1: The di�erent data sources used in multiple analyses

4.4 procedure

A content analysis was performed to extract data from the used data sources. The coding was done by only one human, which means the requirements for inter-coder reliability are unfortunately not met. The reason for this is the lack of human resources.The following table 7 (Appendix 6) was used for the coding of all the annual reports to collect cyber disclosure benchmarking data. Another coding table 6 (Appendix 5) was utilized to distill speci�c cyber actors, cyber threats, cyber-related risk-in�uencing factors and cyber-related (inherent) business risks. The coding schemes are only used to assist in the coding. In general all the text of at least the risk section had to be read and interpreted to really be able to perform the coding for the content analysis.

4.5 Analysis

SPSS (version 23)[41] was used to analyze the data with the follow-ing compare means functions; "Means...", "One-sample T-test" and "Paired-Samples T-test". In the results section, the exact procedures are addressed for the di�erent analyses.

(7)

5 RESULTS

First of all, the results for the cyber attack types "Man-in-the-Middle attacks" and "SQL-Injections" and the cyber actor type "Cyber Van-dals" were removed from the results tables because there have been no matches with any audit forms or annual reports. The same was done for the in�uencing factors "use of Internet of Things" and "Shadow IT" because these were only found once in all reports and forms. A possible explanation for this could be that these kinds of threats and in�uencing factors are too speci�c or too technical to be mentioned by IT auditors or in annual reports.

5.0.1 Content Analysis.Content analysis on both the included annual reports and the matching cyber forms of the auditor was applied to determine which details did occur in both data sources and which did not. This analysis is necessary to determine which cyber actors, cyber threats, cyber-related inherent risk-increasing factors, and cyber-related inherent business risks are most present in the annual reports and in the cyber forms of the auditor. Content analysis is necessary as well to determine to what extent Dutch organizations report cyber in their annual reports to be able to compare this data with results of US organizations that are already available [25]. To obtain this data, various categories are �rst de-termined and de�ned [55]. These categories are either "present" or "not present" in the annual reports of the organizations and the cyber forms of the auditor and are because of this marked with either a "1" or a "0" for each Dutch organization that is addressed.

5.1 Data Analysis

For all mean comparisons, an α(alpha) value of 0.05 was chosen as a signi�cance threshold because this is a default threshold for a two-tailed test [77].

5.1.1 Comparing benchmark results of the US organizations with the Dutch benchmark Results over the year 2018.

To determine if a signi�cant di�erence exists between the US benchmarking results and the Dutch benchmarking results, a One-sample T-test was applied for every statement/category. The reason for choosing a One-sample T-test over an independent T-test is not having the complete data set for the USA data, but only the USA average values for every category. The H0 hypothesis is that there exists no di�erence to what extent cyber reporting is done in annual reports between Dutch and US organizations. Since the means of the US data are �xed numbers and the complete data sets are not available, the US �xed means are compared with the Dutch data set over the year 2018.

When looking at the results of this analysis, to be found in table 2 (Appendix 1), a lot of means of disclosure categories are quite close to each other between Dutch and US organizations over the year 2018. There are also some signi�cant di�erences present. The disclosure category with code BLCO3 scores a lot higher for Dutch organizations than for US organizations with a mean value of 0.53 for Dutch organizations and only 0.20 for US organizations. This di�erence has a P-value of 0.03, which is less than the α of 0.05, which makes this di�erence signi�cant. This di�erence indicates that Dutch organizations disclose more often than US organizations that a non-audit-focused committee oversees cybersecurity and cyber risk. This does not mean that Dutch organizations make more use of non-audit-focused committees but only indicates that the disclosure of this kind of constructions is more often present in annual reports of Dutch organizations.

The next signi�cant di�erence that can be found, is the disclosure category with code DC1. Where none (0%) of the Dutch organi-zations disclosed that cybersecurity experience is a key director quali�cation considered by the board, 41% of the US organizations

disclosed this consideration by the board. This di�erence is obvi-ously signi�cant with a P-value of 0.00. Out of these results, no conclusions can be made that Dutch organizations do not consider cybersecurity experience to be of value for directors, but at least Dutch organizations did not �nd it necessary to mention this kind of considerations of the board in annual reports.

Dutch organizations, however, do �nd it necessary to disclose a management reporting frequency to the board regarding cyber mat-ters of, speci�cally, quarterly or annually (table code: MRF2). Where US organizations only made these speci�c kinds of disclosures for only 11% of the organizations, Dutch organizations disclosed these speci�c details in 60% of the cases.

Both the Dutch and the US organizations almost all consider cybersecurity as a risk factor (code: RFD1), but in the USA, it is way more common to highlight the cybersecurity risk by using a heading or a subtitle (code: RFD2). In the USA, 92% of the orga-nizations highlighted the cybersecurity risk topic, whereas in the Netherlands, only 40% highlighted the cybersecurity risk by using a subheading or subtitle for the topic. Possibly it is just more general to use subheaders or subtitles in the USA, but this could also be an indication that US organizations take the cybersecurity risk more seriously.

On the other hand, Dutch organizations disclose way more often that training and education are used to mitigate cybersecurity risk. In the Netherlands, 53% of the organizations disclosed that training and education are used to mitigate cyber risk. For US organizations this mean value is only 15%, which is a signi�cant di�erence with a P-value of 0.01. It could be that Dutch organizations make more use of education and training regarding cybersecurity risk, but it could also be the case that US organizations feel less pressure to disclose the use of training and/or education.

5.1.2 Comparing cyber risk disclosure between the Dutch annual reports of 2015 with the Dutch annual reports of 2018.

A paired-samples T-test is used to determine if there are signi�-cant di�erences in cyber reporting by Dutch organizations between the years 2015 and 2018. The best analysis for this is a paired-samples T-test because means were compared in di�erent periods of time, but regarding the same data subjects. The results for this analysis can be found in table 3 (Appendix 2).

The �rst important result found is the indication that cyber re-porting for almost every mean value of every disclosure category has at least been kept the same and in most cases has even increased when looking at the mean values for Dutch organizations over the year 2018 and comparing these results with the mean values for Dutch organizations over the year 2015. The only mean value that decreased when comparing 2018 with 2015 refers to response plan-ning or disaster recoveries, which has category code CRME2, but this di�erence is very small and is not signi�cant. Most of the di�er-ences found are not signi�cant di�erdi�er-ences when using a threshold α of 0.05. Exceptions are the disclosure categories with table code BLCO2 and MRS1. These disclosure categories have been found to di�er signi�cantly between 2015 and 2018. BLCO2 is the disclo-sure category that concerns the disclodisclo-sure of an audit committee addressing cybersecurity matters, MRS1 concerns any mentioning in the annual report on how the management of an organization reports cybersecurity issues to the board or the committee that oversees cybersecurity matters.

5.1.3 Comparing actors, threats, influencing factors and inherent risks between the IT auditor and the organization over the year 2018.

For every actor, threat, in�uencing factor and inherent risk type an average presence is calculated for the auditor data set and the an-nual report data set, both separately and together. This way the most

(8)

present cyber actors, cyber threats, cyber-related risk-in�uencing factors, and cyber-related inherent risks can be determined. Be-tween the two groups, a signi�cant di�erence can be calculated as well for every category by applying a Paired-samples T-test. A paired-samples T-test is used because the subjects of the two data sources are the same Dutch organizations. For this reason, the two data sources are not fully independent and for this reason, an independent T-test should not be utilized.

The results of this analysis are presented in table 4 (Appendix 3) and display that there exist some signi�cant di�erences in how often listed Dutch organizations disclose certain cyber actors, cyber threats, cyber-related risk-increasing factors, and cyber-related inherent business risks and how often IT auditors mention these details in their cybersecurity risk estimation of the same Dutch organizations.

In general, mentioning speci�c cyber actor types is done more often in annual reports by organizations than in cyber risk forms of IT auditors. Two clear actor types that signi�cantly are mentioned more by organizations in their annual reports are cyber criminals and cyber terrorists. Only in 13% of the auditor forms, cybercrimi-nals were mentioned, but in the annual reports by organizations, this happened in 53% of the reports. This is a signi�cant di�erence of 40% with a P-value of 0.03, which is less than the threshold α of 0.05. Another type of cyber actors that is mentioned signi�cantly more often by organizations in their annual reports is "cyber ter-rorists". None of the audit forms includes anything regarding cyber terrorism, but the annual reports by organizations include cyber terrorism in 27% of the cases.

Unlike the cyber actors, cyber-related risk-in�uencing factors are in general mentioned more often by IT auditors in their risk forms than by organizations in annual reports. One signi�cant di�erence found is the mentioning of the history of the organization or of the section of the organization. in 53% of the cyber risk forms, the IT auditor mentioned the history of the organization or the history of the sector. For the annual reports by the organization, this only happened for 13% of the cases. This is a signi�cant di�erence of 40% with a P-value of 0.03.

The last category that has a signi�cant di�erence between the cyber risk forms by the IT auditor and the annual report by the organization is Reputational Harm. In cyber risk forms, the men-tioning of potential reputational harm only occurs in 7% of the cases. In annual reports, the potential risk to lose reputation due to cyber is mentioned in 67% of the reports. This is a signi�cant di�erence of 60% with a P-value of 0.00.

5.1.4 Comparing actors, threats, influencing factors and inherent risks between the Dutch annual reports of 2015 and the Dutch annual reports of 2018.

To determine if there exist signi�cant di�erences for the mean values of listed Dutch organizations regarding the reporting of cy-ber actors, cycy-ber threats, cycy-ber-related risk-in�uencing factors and cyber-related business risks, a paired-samples T-test was utilized because the two data sources are derived from the same data sub-jects and are because of this not independent from each other. For this analysis, the results can be found in table 5 (Appendix 4)

In general, there has been an increase in reporting cyber actors, cyber threats, cyber-related in�uencing factors and cyber-related business risks for listed Dutch organizations when comparing the annual reports of 2015 with the annual reports of 2018. Two sig-ni�cant di�erences between these two years were found. The two signi�cant di�erences are both in�uencing factors, "Cyber-related Regulations" and "Use of Third-party Services". The mean di�erence between the Cyber-related regulations means in 2015 and 2018 is 53% with a P-value of 0.00, which is a signi�cant di�erence because

the P-value is smaller than the α of 0.05. An explanation could be that this signi�cant di�erence is caused by the GDPR implemen-tation in the EU. The other signi�cant di�erence in mentioning the "Use of Third-party Services" as an in�uencing factor on cyber-related business risk has a mean di�erence of 33% with a P-value of 0.02. A P-value of 0.02 is also less than the α of 0.05 which makes it a signi�cant di�erence.

6 DISCUSSION

6.1 Theoretical Contribution

The disclosure of cybersecurity in annual reports has already been broadly studied for US organizations, but not for Dutch organiza-tions yet. The results indicate that in general both Dutch and US organizations already disclose many details regarding cybersecu-rity. A few signi�cant di�erences were found, but overall not a clear di�erence was found between Dutch and US organizations. The cyber disclosure legislation that is active in the USA does not clearly result in US organizations reporting more details regard-ing cyber than in a country where such legislation is not active, such as the Netherlands. Dutch organizations seem to be describe cyber details with more detail. Dutch organizations also tend to disclose the use of training or education more often and seem to prefer to put a speci�c risk committee on cybersecurity issues. In the USA, not a risk committee, but directors are found to be more important when cybersecurity issues have to be addressed. Overall Dutch organizations seem to be a bit more transparent in reporting how cybersecurity matters are handled. This can be based on the results indicating that Dutch organizations signi�cantly more often give insight into how and when the management communicates cybersecurity issues to the board or the committee that oversees cy-bersecurity concerns. This di�erence could possibly be explained by cultural di�erences between the USA and the Netherlands. Where being more speci�c is more common in the Netherlands.

The results extracted from the comparison of cyber reporting by Dutch organizations between the year 2015 and the year 2018 give a clear indication of the growing attention of Dutch organizations regarding cybersecurity matters. For almost all disclosure category mean values the value was higher for the year 2018 than for the year 2015. The most signi�cant di�erences were found to be the mentioning of an audit committee overseeing cybersecurity mat-ters and the disclosure of how the management of an organization reports cybersecurity matters to the board or committee that over-sees cybersecurity matters. This result was to be expected since the attention for cybersecurity in the media seems to have grown as well for the last years.

Looking at the results of the various cyber actors, cyber threats, cyber-related risk-in�uencing factors, and cyber-related inherent business risks, some contributions can be found as well. First of all, both IT auditors and listed Dutch organizations see the dependency on (information) technology as a factor that could in�uence their business risk. Almost all IT auditors and organizations mentioned the potential in�uence of the dependency on (information) tech-nology. Also, the use of third-party services and the in�uence of cyber-related regulation is mentioned very often by both the IT auditors and the organizations. Annual reports seem to lay more focus on who could cause cyber incidents. Speci�c actors that re-ceive a lot of attention are cyber criminals and cyber terrorists. Cybercriminals are understandably to be found more, but it is more surprising that cyber terrorists are mentioned this often. Speci�c sectors that mention cyber terrorists more often were not found, so a clear explanation based on sector-type for the fear for cyber ter-rorists was not found. An explanation could be that cyber terrorism is found in the media more often in recent years. For IT auditors it

(9)

could be bene�cial to invest more time in the various cyber actors that can cause cyber incidents.

The mentioning of various kinds of threats did not signi�cantly di�er between the IT auditors and the organizations. However, the three kinds of cyber threats mentioned a lot in both the IT auditor forms and the annual reports are found a lot as well by the CSBN as well with both �nding phishing and malware to be the most mentioned and registered type of cyber threat. though, a signi�cant di�erence is found for the in�uencing factor "cyber-history" of the organization or of the sector the organization operates in. Often, IT auditors mentioned the cyber-history, which was almost never done by the organizations in their annual reports. Possibly organi-zations do not want to cause too much fear among their (potential) stakeholders and because of this these organizations often do not mention anything regarding their cyber history.

When looking at the cyber-related business risks, only organi-zations often mention the risk of damage to their reputation due to cyber incidents, IT auditors do not mention this often. A reason for this could be that reputational damage is not directly perceived to have an e�ect on the annual �gures of an organization. Both IT auditors and organizations see the risk of damage to business processes because of cyber incidents. The cyber-related business risk that concerns both IT auditors and organizations the most, is the unintentional disclosure of data. Almost all IT auditors and organizations make mention of the risk to unintentionally expose company or client data. There is no clear sign that this is enforced by the e�ect of the GDPR regulation since back in 2015 the uninten-tional disclosure of data was mentioned by almost all organizations as well.

However, the mentioning of cyber-related regulations as an in-�uencing factor for cyber risk is mentioned way more by Dutch organizations in 2018 than back in 2015. This is probably caused by the e�ect of the GDPR regulation. Also, the use of third-party ser-vices is clearly mentioned more often as a risk-in�uencing factor in 2018 than in 2015, this is probably caused by the attention that the media has paid in recent years to breaches of third-party services. In general, almost all cyber actors, cyber threats, cyber-related risk-in�uencing factors, and cyber-related business risks are mentioned more often in 2018 than in 2015 by exactly the same listed Dutch organizations. This indicates that the given attention to cyber by listed Dutch organizations is, as expected, increasing. The many breaches that have happened over the last years and these breaches reaching the media as well are probably an explanation for this increase.

7 CONCLUSION

Looking at the collected results and the provided discussion, the conclusion can be drawn that listed Dutch organizations are moving towards more disclosure of cyber risks and cyber controls in their annual reports. Dutch organizations do not seem to be behind on US organizations. Some details are even mentioned more often by Dutch organizations than US organizations. When comparing the cyber disclosure of Dutch organizations with their external IT auditors, Dutch organizations seem to have more attention for the cyber actors that can cause cyber incidents than the IT auditors. The same is true regarding the mentioning of the business risk of losing a good reputation due to cyber incidents. Both Dutch organizations and IT auditors agree on the impact of cyber-related regulation and the risk of unintentionally exposed data. Overall, this study indicates that listed Dutch organizations are increasing their disclosure of cyber details, which could be an indication of the increasing attention that organizations spend on cyber matters in general. Legislation that would force organizations to disclose

cyber details in a certain way could possibly have an impact on the cyber disclosure of Dutch listed organization, but this study indicates that it does not have a clearly noticeable impact when comparing the US results with the Dutch results.

For IT auditors, it could be useful to invest more time in the cyber actors that target organizations. This could make it easier to predict the cyber-related business risk of organizations. Cyber actors can be seen as the root of cyber incidents. Listed Dutch organizations can probably learn a lot from their own cyber history and of the cyber-history of the sector they operate in. Disclosing cyber history to stakeholders would increase the transparency of these organizations.

7.1 Limitations and Future Research

7.1.1 Limitations.

The �rst limitation of this study is that only 15 listed Dutch organizations were analyzed. The reason for this is the limited number of IT audit forms that were provided by the accountant. Although reviewing 15 organizations over 2 distinct years and reviewing the cyber risk indication forms broadens the scope, this study would possibly give greater insights if more organizations were included.

Another limitation that is present in this study is that distinct IT auditors documented the cyber risk forms, with each their own style and speci�city. Although the forms all include the same questions, still clear di�erences exist in how diverse questions are answered by diverse IT auditors.

Since all the content analysis is done by one human researcher, the chance of human mistakes is present. The reliability of the coding could not be checked because inter-coder reliability could not be measured. Utilizing a computer program to analyze all the text was an option as well, but setting up such a program can cost a lot of time and there is still a chance of errors.

7.1.2 Future Research.

A possible interesting topic to include in a study like this in the future could be a comparison that could provide insight whether the Netherlands is leading the way compared to other countries regarding cyber risk disclosure. This could be done by compar-ing Dutch organizations with other EU-based organizations, or by comparing Dutch organizations with organizations based in a completely di�erent part of the world. Also, including the cyber disclosure numbers of US organizations over the year 2015 besides the already present numbers of 2018 could indicate what kind of cyber disclosure trend is currently prominent in the Netherlands compared to the trend in the USA.

Another useful study might be to �nd out if a correlation exists between the intensity of cyber reporting by organizations and the cyber-related business risk of organizations. This could determine whether organizations that generally disclose more cyber details have a higher inherent cyber risk and a lower residual cyber risk could be useful as well.

Referenties

Download het nu ( PDF - 16 pagina - 1.06 MB )

GERELATEERDE DOCUMENTEN

VOLUNTARY DISCLOSURE AND INSTITUTIONAL THEORIES: THE CASE OF DUTCH HEALTHCARE ORGANIZATIONS

The purposes of this study are: (1) to determine whether institutional theories can explain voluntary disclosures in healthcare organizations, (2) to examine if there are

The occurrence of mispricing among Dutch, cross-listed companies – What are the determinants?

The conclusion from this study is very clear: domestic and foreign market indices as well as the domestic exchange rate are responsible for the observed mispricing: they influence the

Valuation of Dutch and German listed equity

‰ Explaining factors for the valuation difference could lay in the cost of equity, secondary market liquidity, expected market return, accounting differences and the expected

Bio-inspired MEMS flow and inertial sensors

By increasing the hair length using a double-spun and exposed SU-8 layer (figure 1.3c) and improving the overall fabrication process and design (figure 1.3d), the current performance

How do you like what we do? : open communication strategies of social media companies and their effects on reputation

The present paper draws on this research gap by arguing that a dialogic communication approach constitutes the underlying explanation for the positive relation between

(s)Pills. A comparative study into the pharmaceutical policies in Hungary, New Zealand and the Netherlands

To Analyze and map the different Pharmaceutical Cost Containment regulations in Hungary, The Netherlands and New Zealand in order to make an objective comparison

De gesloten deur van ontslaggronden op een (on)gewenste kier Een onderzoek naar de cumulatiegrond

Doorgaans betreffen dit situaties waarin zich omstandigheden uit verschillende ontslag- gronden voordoen die op zichzelf onvoldoende zijn om een redelijke grond te vormen,

Hydrogen induced blister formation in Mo/Si multilayer structures

To connect the local required hydrogen dose, as predicted from the pressurized blister model, to the actual measured hydrogen ion dose at the surface, SRIM and 1D hydrogen