Identification of director skills and expertise
The most significant disclosure shift we’ve observed in four years is the change in cybersecurity expertise on the board. In 2021, 65% of boards disclosed cybersecurity as an area of expertise sought on the board or cited in a director biography, up from 36% in 2018. Notably, a majority (56%) now cite cybersecurity in at least one director biography, up from 44% last year and 27% in 2018.
A closer look at these changes over the past year shows that for most of the companies adding cyber experience in a director biography, the change is related to a new director joining the board. These new directors include former chief information officers and information technology (IT) executives, the head of a cybersecurity company and a former leader in the US Government. For a few companies, the change reflected a change in disclosure, with the companies explicitly citing cybersecurity experience in certain director biographies one year, but not the other. In one instance, this related to a director completing a cybersecurity oversight certification. The disclosures indicate that companies are paying more attention to noting director experience or expertise in cyber.
Management reporting to the board
The next area in which we’re seeing disclosure enhancements over time regards management reporting to the board. This year, just over two-thirds (69%) of companies provided insights into management’s reporting to the board or committee overseeing cybersecurity matters, up from 58% in 2018.
While that change is notable, the real change we’re seeing is around the specific information companies are providing in this area. In 2021, 44% of companies identified at least one person who is reporting to the board about cybersecurity, most often the chief information security officer (CISO) or chief information officer (CIO). That’s up from 26% in 2018. Similarly, this year 34% of companies disclosed that management is reporting to the board about cybersecurity at least annually or quarterly, up from 13% in 2018. Many other companies include language about the frequency of management reporting, but it usually is not specific, saying that the board receives reports regularly or periodically.
Adding specificity in this area of disclosure may help stakeholders recognize the board is engaging with the CIO or CISO on an appropriate cadence to conduct its oversight. While it is common for either the CIO or CISO to routinely brief the board, many directors indicate they intentionally raise cyber risks in their interactions with other members of management. In doing so, directors invoke a heightened tone at the top, as well as demonstrating that cyber is viewed as an enterprise risk, not just an IT risk.
Board-level committee oversight
Ninety percent of companies this year charged at least one board-level committee with cybersecurity oversight, up from 87% last year and 75% in 2018. Audit committees remain the primary choice for those responsibilities. This year, 68% of boards assigned cybersecurity oversight to the audit committee, up from 58% in 2018. Among the boards assigning cybersecurity oversight responsibilities to the audit committee, only about two-thirds (65%) formalize those responsibilities in the audit committee charter.
Since 2018, we’ve observed a significant increase in boards assigning cybersecurity oversight to non-audit committees, most often risk or technology committees. Specifically, this year 30% of boards assigned cyber to a non-audit committee, up from 19% in 2018. Among the boards assigning such responsibilities to non-audit committees, all include those responsibilities in the charter.
Alignment with an external framework or standard
This year, the number of companies that disclosed the alignment of their cybersecurity program and information security practices to external security process or control frameworks increased to 10%, up from 1% in 2018. The most common framework cited was the National Institute of Standards and Technology’s (NIST) cybersecurity framework, which was cited by 6% of companies. Other information security frameworks or reporting standards cited include the International Organization for Standardization (ISO) 27001 (3%), NIST 800-53 (3%) and more. In addition, a number of companies disclosed that certain portions of their cybersecurity controls were covered by the American Institute of Certified Public Accountants’ (AICPA) System and Organization Controls for Service Organizations: Trust Services Criteria (SOC 2) service audit reports (1%).