Day 2

Annual Reports: Security by Obscurity on Steroids

Main Stage
Session complexity:
11:10 - 11:35

According to the Dutch Corporate Governance Code, Supervisory Boards should take care to consider the impact of new technologies and cybersecurity on their long-term value creation strategy, and include cybersecurity, supply chain dependencies and data protection in their risk management.

This aligns with new European regulation like NIS2 and DORA, that put forward much more stringent requirements for board members on having knowledge about and being accountable for cybersecurity or they risk of being held personally liable. These new requirements come at a time when 13% of the Top 100 Dutch Board Members have had any dealings with IT in their career, and only 1% has indirect experience with cybersecurity.

This is reflected in the way most of them talk about cybersecurity in their annual reports – a section that is often missing or minimized. “Cybersecurity is a top priority for us” and “we have done many things to improve cybersecurity the last year” are about as much food for the thought the average annual report gives its reader. Although presenting information about the state of cybersecurity potentially puts a target on the back of a company, security by obscurity should never be the answer.

Investors and citizens have a right to know how well-guarded their information and the continuity of the organisation is from a cybersecurity perspective. Many organisations, even critical infrastructure, seem to conveniently neglect the systemic risk to society of them being unable to operate for multiple days like with a ransomware attack. We need to understand the likelihood of that happening, how the organisation is addressing those risks and whether there’s a plan B.

This session contains the following segments with the aim of providing attendees with the ammunition to challenge cyber security public reporting in their organisation.

Speakers in this session

Esther Schagen-van Luit