The evolving challenges around cybersecurity risk management and incidents have placed focus on enhanced communication through disclosures.
As cybersecurity threats evolve and risks become more complex and widespread, focus on corporate disclosures in public filings on the subject likely will intensify.
Cybersecurity crime is an increasing threat with unique challenges resulting from the complexity of an interconnected business ecosystem and the rapid evolution in technology. While the U.S. Securities and Exchange Commission (SEC) has required registrants to disclose information about business risks and material developments in their annual reports for decades, companies face particular challenges in publicly reporting cybersecurity threats. This is due in part to the need to disclose material information while keeping potentially sensitive information out of the hands of attackers.
To help inform stakeholders, we conducted an analysis of cybersecurity-related disclosures of Fortune 100 companies. These companies often are leaders as governance disclosure practices continue to evolve. The review was based on two prominent investor-facing public filings: proxy statements and Form 10-K filings.
Our observations revealed that the depth and nature of cybersecurity-related disclosures vary widely, suggesting there is opportunity for enhancement in how cybersecurity risks, cybersecurity risk management frameworks and board oversight are communicated. This data will provide companies and other stakeholders with insights on this quickly evolving area of disclosure.
Disclosure without risk
Cybersecurity-related risks are complex, which can make it challenging to provide meaningful information to investors and other stakeholders without disclosing facts that could harm company efforts to protect data security.
In the wake of several major cybersecurity incidents, companies, investors and policymakers have been re-examining what and when information is communicated by companies and opportunities for enhanced disclosure.
There are many forces driving the increased focus on corporate disclosures around cybersecurity-related risks and incidents. Insights on current disclosures, along with perspectives on the topic from regulators, investors and boards of directors can enhance consideration and discussions around cybersecurity-related disclosures.
Current regulatory landscape
2018 cybersecurity guidance from the SEC
The SEC issued guidance1 on 21 February 2018 “… to assist public companies in preparing disclosures about cybersecurity risks and incidents.” In framing the matter and the SEC’s motivation in issuing it, the guidance states that:
“Cybersecurity risks pose grave threats to investors, our capital markets, and our country. Whether it is the companies in which investors invest, their accounts with financial services firms, the markets through which they trade, or the infrastructure they count on daily, the investing public and the US economy depend on the security and reliability of information and communications technology, systems, and networks.”
The new guidance reinforces and builds on the SEC’s 2011 cybersecurity staff guidance2, which clarified companies’ obligations to disclose cybersecurity risks, material breaches and the potential impact of the breaches on business, finances and operations. This includes two new topics :
- The importance of public companies having strong disclosure controls and procedures to enable timely and accurate disclosures of cybersecurity risks and incidents
- Insider trading prohibitions as related to cybersecurity incidents
SEC Chairman Jay Clayton expressed his views on the guidance in a press statement, stating it “… will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” He encouraged “… public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”
SEC officials have stated that the Division of Corporation Finance will monitor cybersecurity disclosures as part of its selective filing reviews, and encouraged stakeholders to provide feedback on the guidance. It should be noted that the timing of the 2018 SEC guidance – issued shortly before annual reports for 2017 were due to be filed and at the start of the 2018 proxy season — means that companies may not have had full opportunity to consider and implement it.
Investors view cyber as integral to risk oversight
Investors view cybersecurity risk management as a critical component of the board’s risk oversight responsibilities. That is what many leading institutional investors have shared with EY during our annual investor outreach program, which most recently included conversations with more than 60 institutional investors representing US$32 trillion in assets under management.
In light of the importance of cybersecurity, some investors seek additional and enhanced disclosure from companies and engagement with boards on cybersecurity planning, risks and incidents. Investors generally want to understand how boards are actively overseeing cybersecurity risks and strategy.
Through engagement, some investors also seek to learn whether the board is receiving regular reports from management and input from third-party independent experts as appropriate.
The Council of Institutional Investors (CII) published a list of questions4 for investors to pose to boards in an effort to understand how they are prioritizing cybersecurity. The publication recommends that companies proactively communicate how they address cybersecurity matters as a way to enhance investor confidence and suggests that directors need to “understand management’s cybersecurity strategy; learn where cybersecurity weaknesses lie, and support informed, reasonable investment in the protection of critical data and assets.”
“Users should expect companies of various sizes, industries and cyber risk profiles to bring different strategies, in varied stages of implementation, in response to this massive and growing challenge,” according to the CII. The questions posed by the CII were as follows:
- How are the company’s cyber risks communicated to the board, by whom, and with what frequency?
- Has the board evaluated and approved the company’s cybersecurity strategy?
- How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
- How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
- When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?
Boards of directors
Boards also are increasing engagement on the subject. Consider that the recent SEC guidance states:
“… we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”
The National Association of Corporate Directors issued an updated Cybersecurity Handbook in 20175 that outlined five principles for board cybersecurity oversight. The handbook states:
“Along with the rapidly expanding ‘digitization’ of corporate assets, there has been a corresponding digitization of corporate risk. Accordingly, policymakers, regulators, shareholders and the public are more attuned to corporate cyber risk than ever before.”
According to the NACD, these are the five principles boards should consider as they seek to enhance their oversight of cybersecurity risks:
- Principle 1: Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Principle 2: Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Principle 3: Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas. According to the handbook, when needed, directors should look to outside experts to help them evaluate the assertions made by management and security leadership. Boards should schedule “deep-dive briefings” for independent third-party experts to help validate the extent to which the cybersecurity program is meeting objectives.
- Principle 4: Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. The handbook also recommended regular reviews of the effectiveness of the organization’s cyber-risk management.
- Principle 5: Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.
US policy environment
While it is difficult to legislate or dictate prescriptive policy to address cybersecurity risks, the issue is being contemplated by a host of regulators and government agencies in the US and around the world. US regulators across sectors from the Federal Trade Commission to the Department of Commerce are stepping up activity in this area.
Congress is also increasing its oversight and engagement on cybersecurity disclosure and risk management. Recent high-profile hearings on Capitol Hill highlighted broad bipartisan concerns over how companies manage, plan for and disclose cybersecurity attacks. Members also have heard testimony on legislative proposals such as the Cybersecurity Disclosure Act of 20176.
The bill, introduced by Senator Jack Reed (D-RI) and supported by Senator Susan Collins (R-ME), would direct the SEC to issue final rules requiring a registered public company to disclose in its annual report or annual proxy statement whether any member of its board has expertise or experience in cybersecurity.
While political headwinds and institutional challenges make passage of cybersecurity legislation unlikely in the near term, interest from Congress and other policymakers in Washington continues to increase