Management reporting to the board
The new SEC rules require disclosing the processes by which the board or committee responsible is informed about cyber risks. Over time, we’ve seen disclosure enhancements regarding management reporting on such risks to the board. This year, 87% of companies provided insights into management reporting to the board and/or committee overseeing cyber matters, up from 55% in 2018.
While that change is notable, the real change we’re seeing is around who is providing that information and how often it is conveyed. In 2023, 57% identified at least one person who is reporting to the board on cybersecurity, most often the CISO or CIO, up from 23% in 2018. Similarly, 49% disclosed this year that management is reporting to the board on cybersecurity at least annually, with a number of companies reporting on a least a quarterly basis, up from 12% in 2018. Many other companies include language on the frequency of management reporting, but typically that language is not specific, alluding to reports to the board that occur “regularly” or “periodically.”
As the rules indicate, the Commission directs registrants to disclose management positions or committees responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise. Disclosing details of the frequency of reporting could be included as part of describing the processes by which the board or relevant committee is informed about cybersecurity risks.
Adding specificity to these disclosures may help stakeholders assess whether the board is engaging with the CIO, CISO or equivalent executive with an appropriate cadence to conduct its oversight. While it is common for either the CIO or CISO to routinely brief the board, in our discussions with directors, many indicate that they intentionally raise cyber risks in their interactions with other members of management. In doing so, directors invoke a heightened tone at the top and demonstrate that cyber is viewed as a critical enterprise risk that is ultimately owned by the businesses and touching key activities across the company, from M&A to product development to vendor management to human resources.
Board-level committee oversight
Under the final rule, the SEC requires companies to identify and disclose whether any board committee or subcommittee is responsible for cybersecurity oversight. In our research, 91% of companies this year charged at least one board‑level committee with cybersecurity oversight, up from 72% in 2018. Since 2018, we’ve observed an increase in boards assigning oversight to committees other than audit, most often risk or technology committees. This year, 31% of boards chose a committee other than audit, for primary or additional oversight, up from 19% in 2018. Among the boards making that choice, 86% added cyber responsibilities to the committee charter.
For now, at least, audit committees remain the primary choice to oversee cybersecurity risk. This year, 75% of the boards chose audit, up from 59% in 2018. Among the boards that chose the audit committee, 82% formalized that responsibility in the committee charter.
Identification of director skills and expertise
Although the final SEC rules do not require disclosing whether directors have expertise in cybersecurity, it represents one of the more significant shifts in disclosure rates that we’ve observed since initiating this analysis six years ago. In 2023, 61% of companies disclosed cybersecurity as an area of expertise sought on the board, up from 20% in 2018. More than two-thirds of the companies now cite cybersecurity experience in at least one director biography, up from 33% in 2018. Gartner predicts 70% of boards will include at least one member with cybersecurity experience by 2026.ᶦᶦ
A closer look at these changes over the past few years shows that, in most cases, the increases in director experience are related to most companies adding cyber‑related experience to longer‑standing board member bios, with some boards adding a new director with cybersecurity experience. The new arrivals have included former CIOs and senior information technology executives, the head of a cybersecurity company, and former leaders in federal intelligence agencies or the Department of Defense.
Alignment with an external framework or standard
The number of companies that disclosed the alignment of their cybersecurity program and information security practices with an external security process or control framework increased to 25% this year, up from just 1% in 2018. The framework of the National Institute of Standards and Technology (NIST) was cited by 16 companies, more than any other. Among the others referenced were the International Organization for Standardization (ISO) 27001 and HITRUST. A number of companies also disclosed that certain portions of their controls were covered by the American Institute of Certified Public Accountants (AICPA) System and Organization Controls for Service Organizations: Trust Services Criteria (SOC 2) service audit reports.
Compensation incentives
This year, we observed a modest increase in companies specifically disclosing performance related to cybersecurity or privacy issues as a consideration in determining executive pay. This year, 12% of companies did so, compared with zero in 2018. Nonetheless, companies generally cited cyber considerations (e.g., maintained strong cyber defense with no material business-impacting events amid a heightened cyber-threat environment) among a host of other nonfinancial company or individual performance considerations in executive pay decisions.
Response readiness simulations
The percentage of companies disclosing that they performed cyber incident simulations with management and/or the board remains low, increasing to 16% this year, from 3% in 2018. Of the companies that disclosed such exercises, several disclosed that the board participated, and one specified that the board actively participates in discussions and simulations of cybersecurity risks both internally and with law enforcement, government officials, and peer and industry groups. Rigorous simulations are critical risk preparedness practices that Ernst & Young LLP (EY) and others believe companies should prioritize.
If cybersecurity breach simulation plans are not practiced and a breach occurs, the reaction by the board and management is largely improvised. Well‑designed incident simulations can stress‑test the organization’s capabilities and improve readiness by providing clarity of roles, protocols and escalation processes. These simulations often include third parties (e.g., a public relations firm, forensic specialists, outside counsel and/or law enforcement as noted previously). Policies on ransomware should also be established ahead of time, including whether the company and board would approve payment and under what circumstances, as well as a full understanding of insurance contract terms and conditions. Management should conduct these exercises to test the company’s significant vulnerabilities and identify where the greatest financial impact could occur. Boards should consider participating in these simulations so that their insights and experiences can be incorporated to elevate the company’s ability to respond and recover.
Further, such exercises help companies develop and practice action plans related to data privacy issues. Cyber breaches can — and often do — result in the loss of personal data. These events require compliance with a host of complex state and federal laws (all of which call for prompt notice to states, regulators and affected persons), and may require compliance with the laws of non‑US jurisdictions. Regular practice is key to establishing effective preparation and responses.
Use of external independent advisor
Another component in the SEC rules requires registrants to disclose whether it uses assessors, consultants, auditors or other third parties in connection with its processes to assess, identify and manage risks from cybersecurity threats, and whether it has processes in place to oversee and identify risks related to its use of third-party service providers. In our analysis, the percentage of companies disclosing the use of an external independent advisor to support management on cybersecurity matters grew to 45% this year, from 15% in 2018. Among the companies that made the disclosure this time around, nine indicated that the board received reports from the independent third party. One company disclosed that the audit and compliance committee annually engages third parties (as well as the company’s internal audit department) to audit the company’s information security programs, whose findings are reported to the audit and compliance committee.
Disclosure of cyber incidents
There appears to be a gap between disclosures related to material cybersecurity incidents, including the depth of the disclosures, as compared with the number and scale of cyber incidents reported in the news media and third‑party reports. The 2023 Verizon Data Breach Investigations Report stated there were 5,199 confirmed data breaches between November 1, 2021 and October 31, 2022, from small to large organizations, but the report did not address the materiality of these breaches. Per research provided to EY researchers from Audit Analytics for the same time period, there were 57 cyber incidents reported to the SEC in a public filing.
The SEC’s rules require disclosure of a material cybersecurity incident in Form 8‑K within four business days of determining that it is material. The SEC states the information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material. If any required information is not determined or is unavailable at the time the company prepares the initial Form 8-K, the company must file an amended Form 8-K containing such information within four business days after it determines such information, or the information becomes available.
Disclosures to date range from stating the occurrence of an incident to providing a more in‑depth account, including the number of account holders affected; the nature of the data; costs and insurance offsets; and remedial steps taken to fix the security vulnerability.
The SEC is not the only corporate governance stakeholder seeking more disclosures about cyber incidents. In its Governance QualityScore rating solution, Institutional Shareholder Services (ISS)ᶦᶦᶦ includes 11 factors that address information security risk management and oversight. These factors include board members’ information security expertise; frequency of briefing the board on information security matters; whether the company maintains a cyber risk insurance policy; and the existence of, and financial impact from, recent security breaches.