In our latest analysis of cyber-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies, we found more companies providing information about how they are rising to the challenges. Yet in some areas, the gaps in information are nearly universal. For instance, only 9% disclosed performing response readiness simulations.
With the stakes so high, directors’ tone at the top must continue to elevate the importance of managing cybersecurity risk on a company-wide basis, and not just as an IT matter, and ensuring proper disclosure. Enhanced disclosures clarify for investors and other stakeholders the rigor of the board’s oversight, and management’s role in assessing and managing cybersecurity risks. But to build better defenses against evolving threats, organizations also need to break out of their silos and echo chambers and promote a culture of cooperation, both internally and with other organizations. Independent outside parties can also help expand knowledge bases, strengthen capabilities and identify blind spots in security and risk management.
Our refreshed analysis of the proxy statements and 10-K filings, the fifth in an annual series, was designed to identify emerging trends and opportunities for enhanced communication. We looked at filings from 74 Fortune 100 companies that filed from 2018 through May 31, 2022. We cited sample language from their disclosures and also examined the current US regulatory and public policy cyber landscape.
To be sure, the latest proxy statement and 10-K filings provide a look back. By contrast, the SEC’s proposed rules, among others, will shape the future. They have the potential to expose gaps in defenses and disclosures while serving as a roadmap for closing them. Companies shouldn’t wait to use that map. This is the year to get moving.
The SEC’s proposed rules: to be finalized in 2023
Under Chair Gary Gensler, the SEC has prioritized cybersecurity in its agenda. In 2022, the commission issued a couple of cyber‑related rulemakings, illustrating its commitment to addressing cyber threats in the capital markets.
In March, the commission proposed rules that would, among other things, require cybersecurity incident reporting, and periodic reporting by public companies of their cybersecurity risk management, strategy and governance. The SEC’s regulatory agenda indicates it will finalize the proposed rules in spring 2023. As drafted, the rules would require registrants to disclose the following information:
- Whether there is cybersecurity expertise on the company’s board of directors and, if so, the nature of such expertise
- Whether the entire board, specific board members or a board committee oversees cybersecurity risks; how the board is informed about those risks, including the frequency of its discussions on the topic; and how the board or relevant board committee considers the risks as part of its oversight of business strategy, risk management and financial oversight
- Policies, procedures and strategies, if any, for identifying and managing cyber threats
- Management’s role in assessing and managing cybersecurity risks and in implementing the registrant’s cyber policies, procedures and strategies, including whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, and whether the registrant has a designated chief information security officer (CISO)
The proposal also requires disclosure of a material cybersecurity incident in Form 8-K within four business days of determining that it is material, and that registrants provide updates in periodic reports about previously disclosed material incidents. In addition, registrants must disclose when a series of previously undisclosed individually immaterial cyber incidents becomes material in the aggregate.
10 leading practices to oversee cyber risk
EY regularly engages with boards and hosts gatherings of directors and cybersecurity experts to discuss challenges and leading practices in overseeing cyber risk. During the past year, our programs included dialogues involving more than 500 directors, and a three-part webcast series attended by over 18,000 people. The webcasts covered ransomware, leading practices for cyber oversight, and regulatory developments in cyber and data privacy.
Based on insights gained through our engagements with directors, as well as what EY cybersecurity leaders have learned from assignments around the globe and across industries and company sizes, we have identified these 10 leading practices to help boards oversee cyber risk:
1. Elevate the tone.
Establish cybersecurity as a key consideration in all board matters.
2. Stay diligent.
Address new issues and threats stemming from remote work and the expansion of digital transformation. And remember that every employee needs to be diligent, too — 82% of breaches involve a human element, according to Verizon’s 2022 Data Breach Incident Report, issued in late May.
3. Determine value at risk.
Reconcile value at risk in dollar terms against the board’s risk tolerance, including the efficacy of cyber insurance coverage.
4. Leverage new analytical tools.
Such tools inform the board of cyber risks ranging from high-likelihood, low-impact events to low-likelihood, high-impact events (i.e., a black swan event).
5. Embed security from the start.
Embrace a “trust by design” philosophy when designing new technology, products and business arrangements.
6. Independently assess your program.
Obtain a rigorous third‑party assessment of your cyber risk management program (CRMP).
7. Evaluate third-party risk.
Understand management’s processes to identify, assess and oversee the risk associated with service providers and third parties involved in your supply chain. Supply chains were responsible for 62% of system intrusion incidents in 2021, according to Verizon’s 2022 Data Breach Incident Report.
8. Test response and recovery.
Enhance enterprise resilience by conducting rigorous simulations and arranging protocols with third-party specialists before a crisis.
9. Understand escalation protocols.
Have a defined communication plan for when the board should be notified, including incidents involving ransomware.
10. Monitor evolving practices and the regulatory and public policy landscape.
Stay attuned to evolving oversight practices, disclosures, reporting structures and metrics.
US public policy developments
Following up on President Biden’s May 2021 executive order on cybersecurity, the administration has continued its efforts to strengthen the nation’s cyber defenses, particularly in the wake of the war in Ukraine and related cyber threats.
Disclosure of cyber breaches continues to be a major topic of consideration, both at federal agencies and in Congress. In a statement issued on March 21, 2022, the president underscored the important role that US corporations must play in the fight: “You have the power, the capacity and the responsibility to strengthen the cybersecurity and the resilience of the critical services and technologies on which Americans rely.”
The SEC’s Division of Corporation Finance posted a sample comment letter on the SEC website to illustrate the types of comments it may issue to companies regarding disclosures on the direct and indirect effects of the war in Ukraine, the sanctions on Russia, and related supply chain issues. In the letter, the SEC staff reminded registrants that they have obligations to provide detailed disclosures, to the extent material or otherwise required, about new or heightened risk of cyber attacks.
Conclusion
Although the proposed SEC rules would formalize the timing and specify the content and location of cybersecurity disclosures by companies, the opportunity remains for registrants to not wait for the rules to become final or to limit themselves to doing only what is required. In other words, an opportunity is at hand to strengthen disclosures to demonstrate accountability and engagement, and to build stakeholder trust around how cybersecurity is prioritized, managed and overseen as a critical enterprise risk and strategic function.
Future threats — data manipulation, deepfake videos and other disinformation campaigns — will most certainly influence behavior, alter perspectives and exploit errors in human judgment. Cyber attacks and those who carry them out will continue to evolve. So must our command of innovative technologies, defensive measures and proactive governance to safely negotiate the ever‑changing threat landscape. One of the best ways to protect against intrusions is to move from a culture of withholding information and processes to one of sharing and working together.
A recent article revealed just such an effort, reporting that “some of the nation’s largest banks are now ... engaging in role play and sharing information they would have guarded closely in the past.”¹
Questions for the board to consider
- Has management performed an analysis comparing the company’s current cybersecurity disclosures with the SEC’s proposed rules and shared the results with the board?
- Do the company’s disclosures effectively communicate the rigor of its cyber-risk management program and related board oversight?
- Is the board allocating sufficient time on its agenda, and is the committee structure appropriate, to provide effective oversight of cybersecurity and ESG disclosure requirements
- Have appropriate and meaningful cyber metrics been identified and provided to the board on a regular basis and given a dollar value?
- What kind of threats is the company most concerned about? How does the company monitor the evolving threat landscape? Has the company been the target of a major cyber attack?
- What information has management provided to help the board assess which critical business assets and partners, including third parties and suppliers, are most vulnerable to cyber attacks?
- How does management evaluate and categorize identified cyber and data privacy incidents and determine which ones to escalate to the board?
- What kind of policies has the company established on ransomware? How have the company and board approached the issue of payment?
- Has the board participated with management in one of its cyber breach simulations in the last year? How rigorous was the testing?
- Will new or pending privacy regulations and frameworks impact the organization’s strategy, competitive position, and business models and practices?
- Has the board leveraged a third-party assessment, as described in the NACD’s cyber-risk oversight handbook, to validate that the company’s cyber risk management program is meeting its objectives? If so, is the board having direct dialogue with the third party related to the scope of work and findings?
- Has the board considered the value of obtaining a cybersecurity attestation opinion to build confidence among key stakeholders?
Summary
As cybersecurity risks continue to grow, stakeholders want more information about how companies are addressing and governing these risks. Some companies are responding through additional disclosures related to cybersecurity expertise on the board, oversight practices and reports from management. Our annual analysis reveals how Fortune 100 company disclosures around cybersecurity have evolved in the past five years.