Public disclosures offer insight into how companies prepare for and respond to cybersecurity incidents and what role the board plays.
Cybersecurity attacks are among the gravest risks that businesses face today. The EY 2019 CEO Imperative Survey found that CEOs ranked national and corporate cybersecurity as the top global challenge to business growth and the global economy.
In this environment, stakeholders want to better understand how companies are preparing for and responding to cybersecurity incidents. They also want to understand how boards are overseeing these critical risk management efforts. Some of the answers can be found in public disclosures.
The U.S. Securities and Exchange Commission (SEC) issued guidance in 2018 promoting clearer and more robust disclosure about cybersecurity risks and incidents and how boards discharge their cybersecurity risk oversight responsibility. Our 2018 Cybersecurity disclosure benchmarking report explored how companies were responding to this guidance.
We undertook the same research this year to help inform stakeholders of emerging trends and developments. We analyzed three areas of cybersecurity-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies from 2018-2019: board oversight (including risk oversight approach, board-level committee oversight, and director skills and expertise), statements on cybersecurity risk, and risk management (including cybersecurity risk management efforts, education and training, engagement with outside security experts and use of an external advisor). We found that many companies are enhancing their cybersecurity disclosures, with the most significant changes related to board oversight practices.
Click here to read the full report.
We also found that the depth and nature of these disclosures vary widely, and do not necessarily capture the entirety of a company’s cyber-risk management and oversight activities. For example, only a few companies disclosed they are obtaining an assessment of their cybersecurity risk management program from an independent third party or conducting tabletop exercises (i.e., breach simulations) to enhance cyber incident preparedness by the board and C-suite. These are practices we are routinely observing in the market.
Our market observations
The EY Center for Board Matters frequently conducts education and insight sessions for boards. Based on these meetings and the work being done by our cybersecurity advisors around the globe and across industries, we have identified the following leading practices for overseeing cybersecurity risks:
- Having unfiltered board discussions with the chief information security officer (CISO) in executive sessions
- Gaining insights into how management is validating the operational effectiveness of its cybersecurity risk management program
- Regularly infusing cyber in boardroom conversations with all C-suite executives and division leaders to help create accountability for their role in supporting the cybersecurity environment
- Asking questions about cybersecurity impacts when contemplating any new product, initiative, partnership or business deal, and overseeing that cyber resiliency is embedded into the foundation of company practices and process (i.e., trust by design)
- Upskilling the full board via concentrated cybersecurity education and periodic training sessions with outside experts, certification courses and peer-to peer director exchanges
- Overseeing that a third party is periodically evaluating the design and effectiveness of the company’s cybersecurity risk management program, and engaging directly with that third party to help challenge internal bias
- Overseeing, and periodically participating in, tabletop exercises and simulations as part of the company’s cybersecurity incident response and recovery planning
The SEC’s 2018 Commission-level guidance, which reinforced and built on the SEC staff’s 2011 cybersecurity guidance, clarified companies’ obligations to disclose cybersecurity risks, material breaches and the potential impact of the breaches on business, finances and operations — the goal being to enable investors to make more risk-informed investment decisions. The guidance reminded companies that a number of existing SEC disclosure requirements could require disclosure of cybersecurity matters, including description of the business, legal proceedings, MD&A, board role in risk management, and risk factors.
It expanded the prior guidance by highlighting two new topics: (i) the importance of strong disclosure controls and procedures to enable timely and accurate disclosures of cybersecurity risks and incidents, and (ii) insider trading prohibitions related to cybersecurity incidents.1 Although the SEC reiterated its expectation that companies provide timely disclosure of cybersecurity risks and incidents that are material to investors, the guidance clarifies that companies need not make disclosures that could compromise their cybersecurity efforts and acknowledges that an ongoing investigation by law enforcement of a cybersecurity incident may affect the scope of the disclosure about the incident.
Since the 2018 guidance was issued, SEC Chairman Jay Clayton has made public statements emphasizing the importance of cybersecurity disclosures.2 SEC Director of Corporation Finance William Hinman also has discussed the need for companies to comply with the guidance and noted that companies are responding to the guidance, as the SEC staff is seeing fewer boilerplate cybersecurity-related disclosures.3 The Commission staff also has asked questions about the sufficiency of cybersecurity disclosures in comment letters to issuers.
The SEC staff looks at and comments on cybersecurity-related disclosures as part of its regular reviews of public company filings. The staff also monitors news reports of cyber breaches to assist in this process.4 The SEC staff has said it does “not second-guess good faith exercises of judgment about cyber-incident disclosures.
But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action could be warranted.”5 One such case has already been brought.6
Most investors consider cybersecurity to be a critical component of risk oversight and are engaging with portfolio companies to better understand how cybersecurity risk is governed and managed. We heard this consistently in late 2018 in conversations with governance specialists from more than 60 institutional investors representing over US$32 trillion in assets under management.
As part of our annual EY Center for Board Matters investor outreach, we asked investors about the top risk issues they are raising in their engagements with companies, and 61% said cybersecurity, regardless of sector, was among those elevated risk issues, even though investors characterize cyber risk as a pervasive and standard risk impacting all companies. Some of the key themes we heard from those conversations were:
- An interest in understanding how boards are structuring oversight (i.e., is a committee or the full board charged with that responsibility)
- How directors are developing competence around and staying up-to-speed on cyber issues
- Who in management is reporting to the board and how often
- Key features of how management is addressing cyber risk
- Interest in data privacy issues and compliance with new privacy laws and regulations
While some investors said they are focused on companies where a cyber incident has occurred, they also said that given the current environment where cybersecurity attacks are inevitable, they are specifically focused on companies’ response and recover mechanisms.
What we found
We conducted an analysis of cybersecurity-related disclosures in the proxy statements and annual reports on Form 10-K of the 82 companies on the 2019 Fortune 100 list that filed those documents in both 2018 and 2019 through September 5, 2019. The analysis was based on cybersecurity-related disclosures on the following topics:
- Board oversight, including risk oversight approach, board- level committee oversight, and director skills and expertise
- Statements on cybersecurity risk
- Risk management, including cybersecurity risk management efforts, education and training, engagement with outside security experts, and use of an external advisor
Overall, we observed modest year-over-year increases across most of the disclosures tracked, though the depth and company- specific nature of the disclosures continued to vary widely, including the level of detail. This reveals continued opportunity for enhancement in how risk management activities and responsibilities, response preparedness and board oversight around cybersecurity issues are communicated.
The most significant changes relate to the area of board oversight, including risk oversight approach, board-level committee oversight, and the identification of director skills and expertise as well as officers reporting to the board on cybersecurity. Specifically:
- Eighty-nine percent of companies disclosed a focus on cybersecurity in the risk oversight section of their proxy statements, up from 80% last year.
- More boards assigned cybersecurity oversight to non-audit committees, 28% this year up from 21% in 2018.
- A portion of these, 9% overall, assigned cyber responsibilities to both a non-audit committee and the audit committee. Most companies, 56% overall, assigned cybersecurity oversight to the audit committee alone. Some companies, 10% overall, indicated that the full board retained cybersecurity oversight, and a small number, 6% overall, did not explicitly disclose how they allocate oversight.
- Only a few of these boards moved cybersecurity oversight responsibilities from the audit committee to another committee; in most cases cybersecurity oversight responsibilities were newly assigned to a non-audit committee.
- More than half (54%) included cybersecurity as an area of expertise sought on the board or cited in a director biography, up from 40% last year.
- Thirty-three percent identified at least one “point person” from management (e.g., the CISO or the chief information officer) who reports to the board, up from 26% last year.
The percentage of companies that disclosed the use of an external independent advisor regarding cybersecurity matters held fairly steady at 12% in 2019 versus 13% last year. Nine percent stated that their preparedness includes simulations, tabletop exercises, response readiness tests or independent assessments.