Cyber Risk & Governance: Should Public Company Reporting Be More Transparent?
Research on the volume and frequency of cybersecurity incidents is plentiful. Threat research published in 2025 points to the persistent and growing challenge of ransomware and the growth of supply chain as a mainstream attack vector. Identity-based attacks are also growing with credential abuse now rivalling exploits as the top initial access method. The role of AI is set to expand, being used to propagate social engineering attacks and to build malicious code.
Few enterprises have escaped the concerted efforts of state-sponsored threats and hacktivists. Volt Typhoon and Salt Typhoon targeted global telecommunications infrastructure, impacting Verizon and T-Mobile. Marks & Spencer, a leading UK retail chain in the FTSE 100, experienced a sophisticated social engineering attack that led to disruption across its online services and supply-chain, with losses in excess of £1.2B. Hundreds of organisations were affected by the Snowflake cloud data breach, and hundreds more by the surge in Play ransomware campaigns.
Given the growing cyber risk and number of significant incidents, have public companies made a proportionate investment in cyber governance and resilience? Whilst growing cybersecurity vendor revenues point to improving cybersecurity maturity, a further source of insight can be derived from how leading organisations report on cyber risks and threats. Westlands Advisory recently conducted a comparative analysis of cybersecurity terminology in the annual reporting of the Dow Jones Core 30 and Euronext Core 30 companies.
Starting with the Dow Jones Core 30, plus a couple of recent leavers, mentions of the term ‘cybersecurity’ in annual reports and major announcements increased by 146% from 2020 to 2024, or by 25% per year. A review of the contextual count – adjusted for multiple mentions of the term when referring to the same subject – reveals similar growth. This is broadly the same across industry sectors, whether finance, healthcare, or industrial conglomerates. Part of the increase could be attributed to the new SEC reporting requirements from 2023. However, there are no similar requirements in Europe and there has been a similar growth in the use of ‘cybersecurity’ and its derivatives in the Euronext Core 30. In fact, ‘cybersecurity’ is more commonly referred to in European reporting.
.png)
However, of note is the increased commentary on threats in US reporting - data breaches and ransomware - and the difference between reporting in the US and EU. US reporting consistently has higher volumes and greater diversity in cybersecurity discourse. Mentions of ‘threat actors’ and ‘third-party risk’ for example grew more dramatically in the US, suggesting greater emphasis on external and systemic vulnerabilities. In contrast, European firms remained comparatively muted on terms linked to active threat profiling.
.png)
Where the divergence becomes most pronounced is in operational readiness. References to ‘cloud security,’ ‘zero trust’ and ‘incident response’ all increased sharply among US reporting, while most EU filings have been slower to adopt these terms into their public risk vocabulary. This almost certainly reflects differences between reporting requirements and investor expectations. The SEC requires US public companies to document cybersecurity processes and practices, resulting in greater transparency.
.png)
While US firms reference a wider and more detailed set of cyber-related terms, EU firms are more inclined to repeatedly emphasise ‘cybersecurity’ without substantive reporting. By contrast, US public company reporting demonstrates an evolution from generic awareness in 2020 to detailed acknowledgement of actors, vectors, and technical practices by 2024. This highlights a more deliberate alignment between what is disclosed and how risk is managed, treating cybersecurity not just as a compliance issue but as a strategic risk category that demands transparency in posture not just presence.
So, what does the data tells us? Firstly, cyber risk is a growing concern and an important topic within the boardroom. Whilst US organisations were not required to disclose practices in detail before 2023, they are now doing so and stating on public record that they have the people and processes in place to reduce risk. It also highlights that zero trust is now common parlance, attention to incident response has increased, and that securing cloud infrastructure and workloads is a priority. So, to answer the question at the outset of this paper, it appears as though public companies have made considerable progress with improving cyber resilience.
Secondly, the data also tells us that large public companies in Europe are not as transparent about cyber risk, leaving investors unclear about the scale and efficacy of cyber operations. Public companies need to be careful about oversharing, but they should also strive to improve investor confidence and be more accountable in an era of heightened cyber risk. Moving forward, given increasing regulatory requirements in Europe – including NIS2, DORA etc – it is possible that European public companies will increase reporting on cybersecurity processes and that will be positive step forward.