What IROs Need to Know About Cybersecurity

In recent years, the frequency of major cyber attacks has increased at an alarming rate — for IR professionals, education and preparation are the best lines of defense.

For all the wonderful improvements ushered in by the digital age, it has also opened new doors for crime and fraud. Cyber attackers are finding new, inventive ways to steal sensitive customer (and company) information on a near daily basis.

To be sure, such attacks have significant financial cost — more than $6.5 million on average, according to Ruth Venning of NIRI — but even more damaging is the hit to a company’s reputation (and the subsequent loss of revenue). Incredibly, 60% of small businesses go out of business after a publicly disclosed data breach, and the rate of cybersecurity has dramatically increased over the last years (55% in 2014 from 2013), and that number is only likely to increase well into the future.

It’s no wonder, then, that cybersecurity is the number one concern for board directors and corporate general counsels — and it should be for IROs as well.


Shareholders are increasingly factoring cybersecurity into their investment decisions, closely vetting companies and their directors to see what steps they are taking to minimize risk. It is therefore essential that as an IR professional, you have a keen understanding of those risks, and how your company is addressing them.

Ideally, a comprehensive cybersecurity system will already be in place. Not only does such a system empower you to protect valuable data and assuage stockholder concerns, but having one in place before an incident occurs can also reduce the associated costs by 12%.

Andrew Liuzzi, the U.S. crisis lead for data security at Edelman, encourages companies to adopt a 5-step, proactive approach. Among the steps is establishing clear roles and responsibilities for your data security communications’ response team. It is also crucial to “know key internal and external stakeholders and channels to reach them,” in addition to fostering strong relationships with legislators, regulators, and policymakers. Finally, test your plan with simulated exercises to identify any problem areas, and to ensure your team knows what to do in a variety of potential scenarios.

Stay Vigilant

As dangerous as hackers can be, they may not be the greatest risk to your company — the company’s greatest security liability could be you. In 2014, 19% of cyber breaches were caused by negligent employees, and as an IRO, you need to be especially careful. Stay cognizant of how you draft and send your emails, and on what accounts and devices; encryption and password-protection can help ensure the safety of sensitive information. Be sure to proactively work with your company’s IT team to establish the safest practices.


Communicating with your investors is an equally important facet of cybersecurity for IROs, both legally and practically. The SEC’s Form 10-K “requires information about the company’s cybersecurity risks and disclosure of any cybersecurity litigation,” and although there are no disclosure requirements for proxy statements (a document required by the SEC with pertinent information so shareholders can make the most informed decisions, according to Investopedia), the Senate is considering a bill “that would require publicly traded companies to disclose whether (or why not) their board members have cybersecurity expertise.”

Companies like Allstate, Coca-Cola, and Staples are already disclosing this information in their proxy statements. While you don’t necessarily need to go deep into detail, says Venning, “mentioning directors’ data security expertise or indicating which committee governs cybersecurity risk oversight may help assure investors that the company takes cybersecurity seriously.”

Even outside of your legal obligation, staying in regular contact with your shareholders is an advisable practice. Venning recommends setting up a formal Question & Answer with your investors to address any concerns over your company’s cybersecurity programs, particularly in higher risk industries like healthcare, financial services, and retail. And because the likelihood of a cyber incident taking place is becoming increasingly high, you need to arm yourself (and your shareholders) with information, preparation, and clear communication.