Singaporean firms keep mum on cyber risks

Only 1 in 20 discloses cyber risks.

Compared to three years ago, companies in Singapore have been making steady progress in improving their risk governance disclosures, but there remained a significant lack of disclosure for strategic and cyber risks, according to ISCA-KPMG study.

The study found that while a majority of the companies have disclosed their financial, operational, compliance and information technology (IT) risks as specified by the Corporate Governance Code, there was a significant lack of disclosure for strategic and cyber risks (31% and 5% respectively).

"Given the recent rise in the number of companies falling victims to malicious cyber-attacks, companies could be more forthcoming in disclosing such risks," the study said.

The study also found that there is a lack of specificity when it comes to disclosing risks. There is a lack of description of risks, and companies merely group them into broad risks categories (financial, operational, compliance, IT). According to the study, about 61% of the companies did not mention any specific risk type, while only 39% provide a short description.

Overall, the study shows enhanced clarity in the disclosure of the Board's responsibilities in risk governance. When the study was conducted in 2013, only 34% of the companies indicated that their boards are responsible for risk governance. In 2016, this percentage improved significantly to 100%. This highlights the much stronger recognition that the Board is responsible for the governance of risk.

Given the increase in the complexity of the risk landscape, over the past three years, the percentage of companies that have restructured their boards to either have a formally constituted Audit and Risk Committee (ARC) or a separate Board Risk Committee (BRC) has increased from 2% to 16% for ARC, and 12% to 16% for BRC.