Does Your Company's Board Actually Understand Cybersecurity?

Every annual report has a risk section. Somewhere between the chairman's letter and the financial statements, management lists the things that could go wrong. Cyber risk has appeared in these sections for years. Usually a paragraph or two, sandwiched between regulatory change and climate risk, written in language broad enough to cover anything and specific enough to cover nothing.

Then someone actually attacks the infrastructure.

In the weeks following the Iran escalation, state-linked threat actors have reportedly targeted US power grid operators and water treatment facilities. The attacks are not theoretical. They are operational. Governments across the US, UK, and Australia have issued emergency directives to critical infrastructure operators. The Australian Signals Directorate elevated its threat advisory to the highest level since the framework was introduced.

This is not an article about cybersecurity stocks or which defence contractors to buy. The Q Factor does not predict markets and does not recommend trades.

This is about a question that matters to every investor with holdings in infrastructure, financial services, healthcare, or utilities: what did your company's board actually say about cyber risk in the annual report, and did they back it up with anything real?

The Annual Report Test

When we analyse annual reports at The Q Factor, cyber risk disclosure is one of the qualitative signals we assess. Not because we are cybersecurity analysts, but because the quality of a company's risk disclosure tells you something about the quality of its governance.

A management team that writes "the company faces cybersecurity risks which could materially impact operations" has told you nothing. Every company faces cybersecurity risks. That sentence could have been written in 2015 or 2035, for a bank or a bakery.

A management team that discloses their board includes a director with formal technical credentials, that they conduct annual penetration testing, that they carry a specific level of cyber insurance, and that they have allocated a stated percentage of IT spend to security infrastructure has told you something useful. Not about whether they will be attacked, but about whether the board takes the risk seriously enough to commit resources and accountability.

The difference between these two approaches is the difference between governance and theatre.

Three Patterns We Are Seeing

1. The Board Expertise Gap

Regulators have been pushing for board-level cyber expertise for years. The SEC's disclosure rules now require companies to describe management's role in assessing and managing cyber risk, including whether the board has members with cybersecurity expertise.

In practice, what we find in annual reports across the ASX, NZX, and SGX varies enormously. Some boards have appointed directors with genuine technical backgrounds: former CISOs, technology executives, or defence intelligence professionals. These appointments are verifiable and specific.

Others mention "cyber oversight" in the board charter but list no director with relevant credentials. The committee exists on paper. The expertise does not exist in the room.

This is precisely the kind of Say/Do gap we track. If a board states in its corporate governance section that it maintains "robust oversight of cybersecurity risk," but no director has a technical background and the annual report contains no detail on testing, insurance, or incident response capability, that is a signal. It does not mean the company will be breached. It means the board is making a governance claim it cannot substantiate.

2. The Disclosure Spectrum

Across the companies we cover, cyber risk disclosure sits on a spectrum. At one end, companies that provide specific, auditable information. At the other, companies that insert a standard paragraph about "evolving threats" and move on.

The current crisis is not changing what companies say. Annual reports are backward-looking documents; the 2025 reports were written before the Iran escalation. What the crisis is changing is the weight investors should place on what was said. A company that disclosed specific cyber resilience measures twelve months ago looks prepared. A company that treated cyber risk as a compliance footnote now looks exposed, not necessarily to an attack, but to the reputational and operational consequences of having underinvested in a risk it claimed to be managing.

When the next round of annual reports is published, the quality of cyber disclosure will be one of the clearest indicators of whether management adapted or simply added another paragraph of boilerplate.

3. The Infrastructure Dependency Chain

The most interesting disclosure gaps are not in technology companies. They are in companies that depend on infrastructure but do not consider themselves technology businesses.

Ports. Airports. Water utilities. Power distributors. Hospital operators. Logistics companies. These businesses run on operational technology that was designed decades ago, often without modern security architecture. Their annual reports discuss operational efficiency, capital expenditure on physical assets, and regulatory compliance. Cyber risk, if mentioned at all, is typically framed as an IT issue rather than an operational one.

For investors in these sectors, the credibility question is straightforward: does the annual report acknowledge the specific operational technology risks the business faces, or does it treat cybersecurity as something the IT department handles?

What to Check in Your Own Holdings

You do not need to be a cybersecurity expert to assess whether a board takes the risk seriously. The annual report provides the evidence.

Board credentials. Does any director have a verifiable background in technology, cybersecurity, or information security? A former CTO or CISO is a signal. A director described as having "broad technology experience" without specifics is not.

Spending commitments. Does the report reference specific cybersecurity investments, testing programmes, or insurance coverage? Or is the disclosure limited to policy statements?

Incident history. If the company has experienced a cyber incident (many have, few disclose), does the annual report address it directly and describe remediation? Or has it been quietly dropped from subsequent reports?

Supply chain acknowledgement. For companies in infrastructure, logistics, or healthcare: does the report acknowledge operational technology risk specifically, or only IT risk?

These are the same signals we assess as part of our qualitative analysis. Not because we predict cyber attacks, but because the quality of risk disclosure is a proxy for the quality of governance.

The Point

Cybersecurity has been in risk sections for a decade. For most companies, it was a paragraph. For some, it was a genuine governance priority backed by board expertise, spending commitments, and specific disclosure. The Iran escalation has not changed which companies fall into which category. It has made the distinction more consequential.

The annual report is the document where management puts its governance claims on the record. When the next round is published, the companies that treated cybersecurity as a compliance checkbox will have to decide whether to continue doing so or whether to substantively upgrade their disclosure. That decision, and the consistency between what they say and what they do, is what we track.

At The Q Factor, we assess governance quality across 590+ companies on the ASX, NZX, SGX, and US markets. Every annual report is scored. Every commitment is tracked. When the threat landscape changes, that tracking becomes more valuable, not less.

Browse company scores for free at theqfactor.io. Full analysis reports are available per credit.

This article is part of The Q Factor's analysis series. Analysis is based on publicly available data from company annual reports, exchange filings, and news sources. This is not financial advice. The Q Factor does not predict stock prices or recommend trades. Every investor's circumstances are different. Always conduct your own research before making investment decisions.