10 minute read 7 Aug 2020
EY - Building facade with blue sky

What companies are disclosing about cybersecurity risk and oversight

By

Stephen Klemash

EY Americas Center for Board Matters Leader

Recognized leader in corporate governance. Experienced board member. Trusted advisor to senior executives and directors. Fervent reader. Husband and father.

Contributors
10 minute read 7 Aug 2020

Emerging trends and developments in cybersecurity-related disclosures of Fortune 100 companies.

In brief

  • Digital strategy and technology infrastructure have become critical elements of differentiation in today’s business environment.
  • Remote working, online interactions and disruptive technologies are introducing new vulnerabilities and reshaping the cybersecurity threat landscape.
  • Securing an organization’s virtual ecosystem is more important than ever to future resiliency and value creation.

Cybersecurity risk is intensifying, particularly with widespread remote working and increased online interactions amid the pandemic. The rapid adaptation of multiple business processes and protocols to enable this virtual environment has exponentially increased the corporate attack surface and introduced new risks to the confidentiality, integrity and availability of critical company data and supporting systems.

The return of some workers to a physical workplace is also raising new data security risks and privacy questions, with companies collecting data related to employee, contractor and customer health such as COVID-19 testing, temperature checks and contact tracing. At the same time, harnessing new and disruptive technologies — and enabling the trust of stakeholders and the marketplace in doing so — is key to helping organizations lead, innovate and differentiate.

In this environment, remaining cyber-resilient and building stakeholder trust in the company’s data security and privacy practices is a strategic imperative. Public disclosures can help build trust by providing transparency and assurance around how boards are fulfilling their cybersecurity risk oversight responsibilities.

EY researchers analyzed cybersecurity-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies to identify emerging trends and developments and help companies identify opportunities for enhanced communication. We looked at 76 Fortune 100 companies that filed those documents from 2018 through May 31, 2020.

What we found

Many companies are enhancing their cybersecurity disclosures, with modest increases across most of the disclosures tracked. The most significant changes this year related to the area of board oversight, including board-level committee oversight and the identification of director skills and expertise. Other notable findings include the continued scarcity of disclosures related to cyber-readiness simulations and the use of independent third-party advisors — practices that are prevalent in the market and vital to enhancing cyber resiliency from the EY perspective.

EY - Fortune 100 company cybersecurity disclosures

Board-level committee oversight

More boards are assigning cybersecurity oversight responsibilities to a committee. Eighty-seven percent of companies this year have charged at least one board-level committee with cybersecurity oversight, up from 82% last year and 74% in 2018. Audit committees remain the primary choice for those responsibilities. This year 67% of boards assigned cybersecurity oversight to the audit committee, up from 62% in 2019 and 59% in 2018.

Last year we observed a significant increase in boards assigning cybersecurity oversight to non-audit committees, most often risk or technology committees, (28% in 2019 up from 20% in 2018), but that percentage dropped this year (26% in 2020). A minority of boards, 7% overall, assigned cyber responsibilities to both the audit and a non-audit committee.

Among the boards assigning cybersecurity oversight responsibilities to the audit committee, nearly two-thirds (65%) formalize those responsibilities in the audit committee charter. Among the boards assigning such responsibilities to non-audit committees, most (85%) include those responsibilities in the charter.

Identification of director skills and expertise

The percentage of companies discussing cybersecurity in the context of director qualifications has increased significantly in recent years. In 2020, 58% of companies included cybersecurity as an area of expertise sought on the board or cited in a director biography, up from 51% last year and 39% in 2018. However, a few companies explicitly cited cybersecurity experience in certain director biographies one year but not the other. The disclosures indicate that companies are paying more attention to noting director experience or expertise in cyber.

Data privacy

Nearly all (99%) companies we reviewed addressed data privacy in the risk factor disclosures included in their 2020 and 2019 10-K filings, compared with 93% in 2018. The degree of explicit focus on data privacy as a material risk varied widely. Around a quarter (24%) focused on data privacy as a stand-alone risk factor, often noting increasingly complex and changing data privacy regulations that create high financial and legal exposure in addition to the reputational and operational risks involved. Thirty-percent grouped data privacy with cybersecurity as a risk factor, addressing the overlapping risks in tandem. Just under half (45%) of the companies addressed data privacy in the context of broader risk factors, generally those related to information technology or regulatory risks.

Response readiness simulations and tabletop exercises

While the percentage of companies disclosing that they performed cyber-incident simulations or tabletop exercises more than doubled from 3% last year to 7% in 2020, the number of companies making this disclosure remains low. Of the handful of companies communicating that simulations, drills or tabletop exercises were conducted at the management level, none disclosed whether the board was involved in these exercises.

Simulations are a critical risk-preparedness practice. Even the most robust cybersecurity program can never eliminate all risk.

If plans are not practiced and a breach occurs, the reaction is largely improvised. Well-designed incident simulations and tabletop exercises can stress-test the organization and improve readiness by providing clarity of roles, protocols and escalation processes. Management should conduct these exercises to test the company’s significant vulnerabilities and where the greatest financial impact is at stake. Boards should consider participating in at least one of these simulations annually.

Use of external independent advisor

The number of companies disclosing the use of an external independent consultant to support management held fairly steady, with 12 companies making the disclosure this year vs. 10 in 2019 and 12 in 2018. Among the companies making the disclosure in 2020, only four made clear that the board met directly with the independent third party.

Our market observations

Over the past two years, EY leaders have regularly engaged with boards and hosted gatherings of directors and cybersecurity experts to discuss challenges and leading practices for overseeing cybersecurity risk.

We have identified the following leading board practices:

  • Set the tone. Demonstrate that cybersecurity and privacy risk are critical business issues by increasing the board and/or committee’s time and effort spent discussing the topic.
  • Stay up‑to‑date. Increase the frequency of board and/or committee updates on specific actions to address new cybersecurity and privacy issues and threats as a result of the seismic shift to remote work.
  • Determine value at risk. Understand the company’s value at risk in dollars beyond insurance and reconcile against the board’s risk tolerance.
  • Embed security from the start. Embrace a “Trust by Design” philosophy by designing new technology, products and business arrangements with security in mind.
  • Independently assess the Cybersecurity Risk Management Program (CRMP). Confirm the CRMP is independently and appropriately assessed by a third party with their direct feedback to the board.
  • Understand protocols. Obtain a thorough understanding of the cybersecurity incident and breach escalation process and protocols.
  • Manage third‑party risk. Understand management’s processes to identify, assess and manage the risk associated with service providers and the supply chain.
  • Test response and recovery. Have the company’s ability to respond and recover tested through simulations and arrange protocols with third-party professionals before a crisis.
  • Monitor evolving practices. Stay attuned to evolving board and committee cybersecurity oversight practices and disclosures.

Disclosure of cyber incidents

In 2020, 10 companies disclosed cyber incidents, with each company disclosing a single incident. Only one of those events had occurred in the past year, with the rest as far back as 2006. Around a third of the disclosed data breaches related to cyber attacks of third-party service providers. The depth of the disclosures varied, often based on how recent the event was. Disclosures ranged from stating the occurrence of an incident and related broad implications to providing a more in-depth account, including the number of account holders affected, the nature of the data and remedial steps taken to fix the security vulnerability.

Investor perspectives

Cybersecurity remains an investor engagement priority. As part of our annual EY Center for Board Matters investor outreach, in the fall of 2019 we asked more than 60 institutional investors representing more than US$35 trillion in assets under management what they view as the biggest threats to portfolio companies’ strategic success in the next three to five years. Cybersecurity and data privacy ranked third among the key risks they cited, and these conversations took place well in advance of COVID-19 and the resulting acceleration of remote work.

Because the threat of a breach cannot be eliminated, some investors stressed that they are particularly interested in resiliency, including how (and how quickly) companies are detecting and mitigating cybersecurity incidents. Some are asking their portfolio companies about specific cybersecurity practices, such as whether the company has had an independent assessment of its cybersecurity program, and some are increasingly focusing on data privacy and whether companies are adequately identifying and addressing related consumer concerns and expanding regulatory requirements.

SEC guidance

The SEC continues its broad spotlight on cybersecurity.1 In a January 2020 report, the SEC’s Office of Compliance and Inspections noted that “[t]he seriousness of threats and the potential consequences to investors, issuers, and other securities market participants, and the financial markets and economy more generally, are significant and increasing.”2 With the COVID-19-driven accelerated shift to digital business and massive, potentially permanent shifts to remote working, including virtual board and executive management meetings, cybersecurity risks are exponentially greater.

The SEC has also emphasized the importance of strong disclosure controls and procedures to enable timely and accurate disclosures of cybersecurity risks and incidents, and clear insider trading prohibitions related to cybersecurity incidents.3

US public policy environment

Policymakers in Washington continue to grapple with how to address rising and evolving cyber threats. While a legislative solution is unlikely in 2020, it remains a key concern and focus for Congress and the administration.

The lack of congressional action has pushed states to deploy a patchwork of cybersecurity laws. State legislative action surrounding cybersecurity increased during the last session, with over 230 bills introduced related to the creation of cybersecurity task forces, mandatory training of state employees, data breach penalty and notification requirements on private businesses and more. Expect to see states continue to evolve in this space to combat the growing concerns of cybersecurity given the current, and in some cases, permanent increase of remote work.

Conclusion

Digital strategy and technology infrastructure have become critical elements of competitive differentiation, even survival, in today’s business environment. At the same time, the rapid acceleration of remote working and learning, online interactions and new disruptive technologies are introducing new vulnerabilities and reshaping the cybersecurity threat landscape. Securing an organization’s virtual ecosystem and building trust around that security is more important than ever to future resiliency and value creation.

When data confidentiality, integrity or availability is compromised, or products and services cease to perform as expected, trust built over years can be lost in a day — and stakeholder expectations around, and scrutiny of, security and privacy protections continue to increase. Companies should strengthen their cybersecurity disclosures to demonstrate accountability and engagement on this issue, and build stakeholder trust around how cybersecurity is prioritized, managed and overseen as a critical enterprise risk and strategic opportunity.

  • Questions for the board to consider

    • Is the board allocating sufficient time on its agenda, and is the committee structure appropriate, to provide effective oversight of cybersecurity?
    • Do the company’s disclosures effectively communicate the rigor of its cybersecurity risk management program and related board oversight?
    • What information has management provided to help the board assess which critical business assets and critical partners, including third parties and suppliers, are most vulnerable to cyber attacks?
    • Have appropriate and meaningful cyber metrics been identified and provided to the board on a regular basis and given a dollar value?
    • How does management evaluate and categorize identified cyber and data privacy incidents and determine which to escalate to the board?
    • Has the board leveraged a third-party assessment, as described in the NACD’s Cyber-Risk Oversight 2020 handbook, to validate the cybersecurity risk management program is meeting its objectives?
    • If so, is the board having direct dialogue with the third party related to the scope of work and findings?
    • Has the board participated with management in one of its cyber breach simulations in the last year?
    • Has the board considered the value of obtaining a cybersecurity attestation opinion to build confidence among key stakeholders?

Summary

An analysis of cybersecurity-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies identifies emerging trends and developments to help companies identify opportunities for enhanced communication.

About this article

By

Stephen Klemash

EY Americas Center for Board Matters Leader

Recognized leader in corporate governance. Experienced board member. Trusted advisor to senior executives and directors. Fervent reader. Husband and father.

Contributors