9 minute read 7 Sep 2022
Water dam and reservoir aerial view

How cyber governance and disclosures are closing the gaps in 2022

Authors
Chuck Seets

Principal, Americas Assurance, Ernst & Young LLP

Community leader. Future-forward thinker. Father. Tar Heels fan.

Pat Niemann

EY Americas Audit Committee Forum Leader

Community champion. Family man. USC Trojan alum.

9 minute read 7 Sep 2022

Show resources

  • How cyber governance and disclosures are closing the gaps in 2022 (pdf)

An annual analysis of cyber-related disclosures of Fortune 100 companies shows that cybersecurity is reaching an inflection point.

In brief:

  • Growing risks and greater stakeholder demands are leading companies to carefully address what they disclose about governance and management of cybersecurity.
  • The SEC prioritized cybersecurity and is expected to finalize rules in early 2023 that will require new cybersecurity disclosures from public companies.
  • Fortune 100 companies continue to increase disclosures in certain categories of cybersecurity risk management and oversight.

Cybersecurity risks are growing, and broader regulations are looming. Some companies are keeping pace, but others are lagging, both in disclosures and warding off threats. To close these gaps, directors should foster a culture of cooperation while elevating the tone at the top.

This is the year for directors to double down on closing the gaps in the company’s cybersecurity defense and disclosure practices. The risks companies face, already high, are multiplying and accelerating, marked this year by potential threats tied to of the war in Ukraine. Meanwhile, more guidance on cyber oversight and disclosure is here or on its way, the Securities and Exchange Commission (SEC or commission), which proposed new rules earlier in 2022; and from Congress, which recently passed far‑reaching legislation. Additionally, Institutional Shareholder Services Inc. (ISS) added 11 new cyber risk factors to its Governance QualityScore in 2021. 

Download the full report to read the detailed analysis.

EY Center for Board Matters

We support board members in their oversight role by helping them address complex boardroom issues.

Read more

In our latest analysis of cyber-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies, we found more companies providing information about how they are rising to the challenges. Yet in some areas, the gaps in information are nearly universal. For instance, only 9% disclosed performing response readiness simulations.

With the stakes so high, directors’ tone at the top must continue to elevate the importance of managing cybersecurity risk on a company-wide basis, and not just as an IT matter, and ensuring proper disclosure. Enhanced disclosures clarify for investors and other stakeholders the rigor of the board’s oversight, and management’s role in assessing and managing cybersecurity risks. But to build better defenses against evolving threats, organizations also need to break out of their silos and echo chambers and promote a culture of cooperation, both internally and with other organizations. Independent outside parties can also help expand knowledge bases, strengthen capabilities and identify blind spots in security and risk management.

Our refreshed analysis of the proxy statements and 10-K filings, the fifth in an annual series, was designed to identify emerging trends and opportunities for enhanced communication. We looked at filings from 74 Fortune 100 companies that filed from 2018 through May 31, 2022. We cited sample language from their disclosures and also examined the current US regulatory and public policy cyber landscape.

To be sure, the latest proxy statement and 10-K filings provide a look back. By contrast, the SEC’s proposed rules, among others, will shape the future. They have the potential to expose gaps in defenses and disclosures while serving as a roadmap for closing them. Companies shouldn’t wait to use that map. This is the year to get moving.

  • What we found: mixed results

    In comparing the proxy statements and Form 10-K filings of Fortune 100 companies over the past five years, we have seen steady and significant increases in the percentage of disclosures in certain categories of cyber management and oversight. One aspect relating to disclosing director cybersecurity skills and expertise, for example, had a 61% disclosure rate in 2022, up from 35% in 2018.

    Other areas of noteworthy increases in disclosure rates in the 2022 filings:

    • Providing insights into management reporting to the board and/or committee(s) overseeing cybersecurity matters (74% in 2022, up from 54% in 2018), and identifying at least one point person (e.g., the chief information security officer (CISO) or chief information officer (CIO)), 49%, up from 23%
    • Frequency of management reporting to the board or committee(s), 68%, up from 36%
    • Maintaining cybersecurity insurance, now 51%, up from 31%

    Fortune 100 cybersecurity disclosures, 2018–22

    New this year: References to SEC and ISS denote disclosure areas included in the SEC’s proposed rules and ISS’s list of risk factors.

    Note that some elements of the SEC’s proposals, notably those relating to material breaches, are not reflected in the chart.

    Areas of focus Topics Disclosure 2022 2021 2020 2019 2018
    Caregory: Board oversight
      Risk oversight approach Disclosed a focus on cybersecurity in the risk oversight section of the proxy statement 95% 88% 89% 86% 76%
    SEC
    ISS
    Board-level committee oversight* Disclosed that at least one board-level committee was charged with oversight of cybersecurity matters 88% 89% 86% 81% 72%
    Disclosed that the audit committee oversees cybersecurity matters 70% 69% 68% 62% 57%
    Disclosed oversight by a non-audit-focused committee (e.g., risk, technology) 28% 28% 24% 26% 18%
    SEC
    ISS
    Director skills and expertise Cybersecurity disclosed as an area of expertise sought on the board or cited in at least one director biography 61% 65% 57% 49% 35%
    Cybersecurity disclosed as an area of expertise sought on the board 46% 42% 36% 27% 20%
    Cybersecurity cited in at least one director biography 51% 55% 46% 39% 28%
    SEC Management reporting structure Provided insights into management reporting to the board or committee overseeing cybersecurity matters 74% 65% 61% 58% 54%
    Identified at least one “point person” (e.g., the chief information security officer, chief information officer) 49% 41% 35% 32% 23%
    SEC
    ISS
    Management reporting frequency Included language about frequency of management reporting to the board or committee(s) 68% 54% 47% 43% 36%
    Disclosed reporting frequency (e.g.,   annually, quarterly) 39% 31% 15% 15% 11%
    Category: Statements on cybersecurity risk
      Risk factor disclosure Included cybersecurity as a risk factor 100% 100% 100% 100% 100%
    Included data privacy as a risk factor 99% 99% 99% 97% 93%
    Category: Risk management
    SEC
    ISS
    Cybersecurity risk management efforts Referenced efforts to mitigate cybersecurity risk, such as the establishment of processes, procedures and systems 99% 97% 93% 91% 85%
    Disclosed alignment with external framework or standard 18% 9% 3% 3% 1%
    Referenced response readiness, such as planning, disaster recovery or business continuity considerations 66% 65% 61% 57% 53%
    Stated that preparedness includes simulations, tabletop exercises or response readiness tests 9% 5% 7% 3% 3%
    Stated that the company maintains a level of cybersecurity insurance 51% 43% 36% 36% 31%
    Included cybersecurity in executive compensation considerations 7% 11% 5% 1% 0%
    ISS Education and training Disclosed use of education and training efforts to mitigate cybersecurity risk 45% 36% 30% 26% 18%
    Engagement with outside security community Disclosed collaborating with peers, industry groups or policymakers 15% 12% 11% 12% 7%
    SEC
    ISS
    Use of external advisor Disclosed use of an external independent advisor 28% 22% 15% 12% 15%
    Disclosed board engagement with an external independent advisor 7% 7% 4% 3% 1%
    Disclosed the external advisor provided attestation 14% 8% 4% 4% 4%

    Percentages based on total disclosures by companies. Data based on the 74 companies on the 2022 Fortune 100 list that filed Form 10-Ks and proxy statements in 2018, 2019, 2020, 2021 and 2022 through May 31, 2022. Areas of focus were referenced in the SEC proposed rules and/or by ISS in its list of Governance QualityScore cyber risk factors released in February 2021.
    *Some companies delegate cybersecurity oversight to more than one board-level committee.

Show resources

  • To read the full detailed analysis and key findings, download the report

The SEC’s proposed rules: to be finalized in 2023

Under Chair Gary Gensler, the SEC has prioritized cybersecurity in its agenda. In 2022, the commission issued a couple of cyber‑related rulemakings, illustrating its commitment to addressing cyber threats in the capital markets.

In March, the commission proposed rules that would, among other things, require cybersecurity incident reporting, and periodic reporting by public companies of their cybersecurity risk management, strategy and governance. The SEC’s regulatory agenda indicates it will finalize the proposed rules in spring 2023. As drafted, the rules would require registrants to disclose the following information:

  • Whether there is cybersecurity expertise on the company’s board of directors and, if so, the nature of such expertise
  • Whether the entire board, specific board members or a board committee oversees cybersecurity risks; how the board is informed about those risks, including the frequency of its discussions on the topic; and how the board or relevant board committee considers the risks as part of its oversight of business strategy, risk management and financial oversight
  • Policies, procedures and strategies, if any, for identifying and managing cyber threats
  • Management’s role in assessing and managing cybersecurity risks and in implementing the registrant’s cyber policies, procedures and strategies, including whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, and whether the registrant has a designated chief information security officer (CISO)

The proposal also requires disclosure of a material cybersecurity incident in Form 8-K within four business days of determining that it is material, and that registrants provide updates in periodic reports about previously disclosed material incidents. In addition, registrants must disclose when a series of previously undisclosed individually immaterial cyber incidents becomes material in the aggregate.

10 leading practices to oversee cyber risk

EY regularly engages with boards and hosts gatherings of directors and cybersecurity experts to discuss challenges and leading practices in overseeing cyber risk. During the past year, our programs included dialogues involving more than 500 directors, and a three-part webcast series attended by over 18,000 people. The webcasts covered ransomwareleading practices for cyber oversight, and regulatory developments in cyber and data privacy.

Based on insights gained through our engagements with directors, as well as what EY cybersecurity leaders have learned from assignments around the globe and across industries and company sizes, we have identified these 10 leading practices to help boards oversee cyber risk:

1. Elevate the tone. 

Establish cybersecurity as a key consideration in all board matters.

2. Stay diligent. 

Address new issues and threats stemming from remote work and the expansion of digital transformation. And remember that every employee needs to be diligent, too — 82% of breaches involve a human element, according to Verizon’s 2022 Data Breach Incident Report, issued in late May.

3. Determine value at risk. 

Reconcile value at risk in dollar terms against the board’s risk tolerance, including the efficacy of cyber insurance coverage.

4. Leverage new analytical tools. 

Such tools inform the board of cyber risks ranging from high-likelihood, low-impact events to low-likelihood, high-impact events (i.e., a black swan event).

5. Embed security from the start. 

Embrace a “trust by design” philosophy when designing new technology, products and business arrangements.

6. Independently assess your program. 

Obtain a rigorous third‑party assessment of your cyber risk management program (CRMP).

7. Evaluate third-party risk. 

Understand management’s processes to identify, assess and oversee the risk associated with service providers and third parties involved in your supply chain. Supply chains were responsible for 62% of system intrusion incidents in 2021, according to Verizon’s 2022 Data Breach Incident Report.

8. Test response and recovery. 

Enhance enterprise resilience by conducting rigorous simulations and arranging protocols with third-party specialists before a crisis.

9. Understand escalation protocols. 

Have a defined communication plan for when the board should be notified, including incidents involving ransomware.

10. Monitor evolving practices and the regulatory and public policy landscape. 

Stay attuned to evolving oversight practices, disclosures, reporting structures and metrics.

Show resources

  • To read about our market observations and this analysis, download the full report.

US public policy developments

Following up on President Biden’s May 2021 executive order on cybersecurity, the administration has continued its efforts to strengthen the nation’s cyber defenses, particularly in the wake of the war in Ukraine and related cyber threats.

Disclosure of cyber breaches continues to be a major topic of consideration, both at federal agencies and in Congress. In a statement issued on March 21, 2022, the president underscored the important role that US corporations must play in the fight: “You have the power, the capacity and the responsibility to strengthen the cybersecurity and the resilience of the critical services and technologies on which Americans rely.”

The SEC’s Division of Corporation Finance posted a sample comment letter on the SEC website to illustrate the types of comments it may issue to companies regarding disclosures on the direct and indirect effects of the war in Ukraine, the sanctions on Russia, and related supply chain issues. In the letter, the SEC staff reminded registrants that they have obligations to provide detailed disclosures, to the extent material or otherwise required, about new or heightened risk of cyber attacks.

Conclusion

Although the proposed SEC rules would formalize the timing and specify the content and location of cybersecurity disclosures by companies, the opportunity remains for registrants to not wait for the rules to become final or to limit themselves to doing only what is required. In other words, an opportunity is at hand to strengthen disclosures to demonstrate accountability and engagement, and to build stakeholder trust around how cybersecurity is prioritized, managed and overseen as a critical enterprise risk and strategic function.

Future threats — data manipulation, deepfake videos and other disinformation campaigns — will most certainly influence behavior, alter perspectives and exploit errors in human judgment. Cyber attacks and those who carry them out will continue to evolve. So must our command of innovative technologies, defensive measures and proactive governance to safely negotiate the ever‑changing threat landscape. One of the best ways to protect against intrusions is to move from a culture of withholding information and processes to one of sharing and working together.

A recent article revealed just such an effort, reporting that “some of the nation’s largest banks are now ... engaging in role play and sharing information they would have guarded closely in the past.”¹

Questions for the board to consider

  • Has management performed an analysis comparing the company’s current cybersecurity disclosures with the SEC’s proposed rules and shared the results with the board?
  • Do the company’s disclosures effectively communicate the rigor of its cyber-risk management program and related board oversight?
  • Is the board allocating sufficient time on its agenda, and is the committee structure appropriate, to provide effective oversight of cybersecurity and ESG disclosure requirements
  • Have appropriate and meaningful cyber metrics been identified and provided to the board on a regular basis and given a dollar value?
  • What kind of threats is the company most concerned about? How does the company monitor the evolving threat landscape? Has the company been the target of a major cyber attack?
  • What information has management provided to help the board assess which critical business assets and partners, including third parties and suppliers, are most vulnerable to cyber attacks?
  • How does management evaluate and categorize identified cyber and data privacy incidents and determine which ones to escalate to the board?
  • What kind of policies has the company established on ransomware? How have the company and board approached the issue of payment?
  • Has the board participated with management in one of its cyber breach simulations in the last year? How rigorous was the testing?
  • Will new or pending privacy regulations and frameworks impact the organization’s strategy, competitive position, and business models and practices?
  • Has the board leveraged a third-party assessment, as described in the NACD’s cyber-risk oversight handbook, to validate that the company’s cyber risk management program is meeting its objectives? If so, is the board having direct dialogue with the third party related to the scope of work and findings?
  • Has the board considered the value of obtaining a cybersecurity attestation opinion to build confidence among key stakeholders?

Summary

As cybersecurity risks continue to grow, stakeholders want more information about how companies are addressing and governing these risks. Some companies are responding through additional disclosures related to cybersecurity expertise on the board, oversight practices and reports from management. Our annual analysis reveals how Fortune 100 company disclosures around cybersecurity have evolved in the past five years.

About this article

Authors
Chuck Seets

Principal, Americas Assurance, Ernst & Young LLP

Community leader. Future-forward thinker. Father. Tar Heels fan.

Pat Niemann

EY Americas Audit Committee Forum Leader

Community champion. Family man. USC Trojan alum.