According to the FT: "Proxy adviser Glass Lewis has updated its voting policy for boards’ oversight of cyber security and how companies deal with cyber incidents after the US regulator introduced new rules about disclosure."
Glass Lewis has also notably toughened its UK 2024 Benchmark Policy Guidelines:
"We have expanded our policy on cyber risk oversight to outline our belief that, where a company has been materially impacted by a cyber-attack, shareholders can reasonably expect periodic updates communicating the company’s ongoing process towards resolving and remediating the impact of the attack. In instances where a company has been materially impacted by a cyber-attack, we may recommend against appropriate directors should we find the board’s oversight, response or disclosures concerning cybersecurityrelated issues to be insufficient, or not provided to shareholders."
Regulators have continued to step up expectations. In the US, the Securities and Exchange Commission published new rules over the summer forcing US-listed public companies to disclose cybersecurity incidents within four days - with potential impact for UK companies too.
It's yet to be seen whether UK disclosure regulations will be tightened further. But the direction of travel is clear. The UK's Financial Reporting Council issued Digital Security Risk Disclosure guidance in 2022, accompanied by warnings that investors see 'boilerplate' risk disclosures as a sign that a company doesn't take cybersecurity seriously.