If plans are not practiced and a breach occurs, the reaction is largely improvised. Well-designed incident simulations and tabletop exercises can stress-test the organization and improve readiness by providing clarity of roles, protocols and escalation processes. Management should conduct these exercises to test the company’s significant vulnerabilities and where the greatest financial impact is at stake. Boards should consider participating in at least one of these simulations annually.
Use of external independent advisor
The number of companies disclosing the use of an external independent consultant to support management held fairly steady, with 12 companies making the disclosure this year vs. 10 in 2019 and 12 in 2018. Among the companies making the disclosure in 2020, only four made clear that the board met directly with the independent third party.
Our market observations
Over the past two years, EY leaders have regularly engaged with boards and hosted gatherings of directors and cybersecurity experts to discuss challenges and leading practices for overseeing cybersecurity risk.
We have identified the following leading board practices:
- Set the tone. Demonstrate that cybersecurity and privacy risk are critical business issues by increasing the board and/or committee’s time and effort spent discussing the topic.
- Stay up‑to‑date. Increase the frequency of board and/or committee updates on specific actions to address new cybersecurity and privacy issues and threats as a result of the seismic shift to remote work.
- Determine value at risk. Understand the company’s value at risk in dollars beyond insurance and reconcile against the board’s risk tolerance.
- Embed security from the start. Embrace a “Trust by Design” philosophy by designing new technology, products and business arrangements with security in mind.
- Independently assess the Cybersecurity Risk Management Program (CRMP). Confirm the CRMP is independently and appropriately assessed by a third party with their direct feedback to the board.
- Understand protocols. Obtain a thorough understanding of the cybersecurity incident and breach escalation process and protocols.
- Manage third‑party risk. Understand management’s processes to identify, assess and manage the risk associated with service providers and the supply chain.
- Test response and recovery. Have the company’s ability to respond and recover tested through simulations and arrange protocols with third-party professionals before a crisis.
- Monitor evolving practices. Stay attuned to evolving board and committee cybersecurity oversight practices and disclosures.
Disclosure of cyber incidents
In 2020, 10 companies disclosed cyber incidents, with each company disclosing a single incident. Only one of those events had occurred in the past year, with the rest as far back as 2006. Around a third of the disclosed data breaches related to cyber attacks of third-party service providers. The depth of the disclosures varied, often based on how recent the event was. Disclosures ranged from stating the occurrence of an incident and related broad implications to providing a more in-depth account, including the number of account holders affected, the nature of the data and remedial steps taken to fix the security vulnerability.
Cybersecurity remains an investor engagement priority. As part of our annual EY Center for Board Matters investor outreach, in the fall of 2019 we asked more than 60 institutional investors representing more than US$35 trillion in assets under management what they view as the biggest threats to portfolio companies’ strategic success in the next three to five years. Cybersecurity and data privacy ranked third among the key risks they cited, and these conversations took place well in advance of COVID-19 and the resulting acceleration of remote work.
Because the threat of a breach cannot be eliminated, some investors stressed that they are particularly interested in resiliency, including how (and how quickly) companies are detecting and mitigating cybersecurity incidents. Some are asking their portfolio companies about specific cybersecurity practices, such as whether the company has had an independent assessment of its cybersecurity program, and some are increasingly focusing on data privacy and whether companies are adequately identifying and addressing related consumer concerns and expanding regulatory requirements.
The SEC continues its broad spotlight on cybersecurity.1 In a January 2020 report, the SEC’s Office of Compliance and Inspections noted that “[t]he seriousness of threats and the potential consequences to investors, issuers, and other securities market participants, and the financial markets and economy more generally, are significant and increasing.”2 With the COVID-19-driven accelerated shift to digital business and massive, potentially permanent shifts to remote working, including virtual board and executive management meetings, cybersecurity risks are exponentially greater.
The SEC has also emphasized the importance of strong disclosure controls and procedures to enable timely and accurate disclosures of cybersecurity risks and incidents, and clear insider trading prohibitions related to cybersecurity incidents.3
US public policy environment
Policymakers in Washington continue to grapple with how to address rising and evolving cyber threats. While a legislative solution is unlikely in 2020, it remains a key concern and focus for Congress and the administration.
The lack of congressional action has pushed states to deploy a patchwork of cybersecurity laws. State legislative action surrounding cybersecurity increased during the last session, with over 230 bills introduced related to the creation of cybersecurity task forces, mandatory training of state employees, data breach penalty and notification requirements on private businesses and more. Expect to see states continue to evolve in this space to combat the growing concerns of cybersecurity given the current, and in some cases, permanent increase of remote work.
Digital strategy and technology infrastructure have become critical elements of competitive differentiation, even survival, in today’s business environment. At the same time, the rapid acceleration of remote working and learning, online interactions and new disruptive technologies are introducing new vulnerabilities and reshaping the cybersecurity threat landscape. Securing an organization’s virtual ecosystem and building trust around that security is more important than ever to future resiliency and value creation.
When data confidentiality, integrity or availability is compromised, or products and services cease to perform as expected, trust built over years can be lost in a day — and stakeholder expectations around, and scrutiny of, security and privacy protections continue to increase. Companies should strengthen their cybersecurity disclosures to demonstrate accountability and engagement on this issue, and build stakeholder trust around how cybersecurity is prioritized, managed and overseen as a critical enterprise risk and strategic opportunity.