Many publicly traded companies in the Dutch AEX, AMX and AScX indices fail to be transparent on cybersecurity efforts in their annual reports. While the Netherlands is a highly digitized society, 47 percent of listed companies there do not provide much insight into how they are keeping their organizations secure.
The Cyber Security Annual Report (CSAR) by the Erasmus School of Law in Rotterdam shows that nearly half of those companies do not mention any specific measures taken on the cybersecurity front, thereby keeping investors in the dark. Only Ahold (Giant Food Stores, Stop & Shop, Peapod), paint and coatings company AkzoNobel, commercial real estate company Unibail-Rodamco-Westfield and private banking firm Van Lanschot provided six or more cybersecurity measures in place in their annual reports. Amongst those were the appointment of a CISO and providing employees with security awareness training (SAT).
According to the authors of the CSAR study, the absence of any Dutch laws requiring information on cybersecurity in annual reports leads to organizations that do not feel the need to share their policies. The Netherlands being named the country in Europe most likely to be hit by cybercrime should be an indication that publicly traded companies there do not have the luxury to leave information on cybersecurity out.
Being transparent on the measures being taken within the organization can also lead to a trickle-down effect by which the entire organization (and society!) becomes more aware of the risks of cybercrime. Furthermore, providing additional information on results and value of cybersecurity efforts like new-school security awareness training will make investors feel more confident and will inspire other companies to go the extra mile.