The prblem with this is : who audits these claims?
This sonds like self-ccertification of security to me. I mean,, it's easy enough to recruit an extra board member and calll them 'Chief Cybersecurity Officer' or something and then bung a few paragraphs in your company's annual report about how you take it oh-so-very-seriously and do x, y and z. But how does this help if you' then have to rely on this being effective, with the only hope being shareholder lawsuits if it turns out not to be?
As this is for publicly listed companies only, why not a standard compulsory yearly audit by a specialist unit within the stock exchanges where these companies are listed?
I've seen something similar working in a bank, where audits were mandatory, carried out by the central bank, long and arduous (believe me I had to read the huge tome of criteria and regulations and sit in some of the meetings) but obviously very thorough and effective in ensuring that the right standards were met.
By the way, the standards didn't just concern security, but quality of service and availability, and required quality control standards too. Also not a bad idea for other large corporations I might suggest.....