What cyber disclosures are telling shareholders in 2023

EY Americas Audit Committee Forum Leader

14 minute read 21 Aug 2023

Investors need accurate and timely disclosures on cybersecurity risk governance and management to make informed decisions.

In brief

Directors play a critical role in overseeing enhanced disclosures to clarify the board’s oversight of cybersecurity risks and its competency to provide it.
In the US, more cybersecurity regulation and additional requirements for cyber disclosures are here or on their way.
Cybersecurity risk management is about response preparedness and resilience, based on comprehensive crisis response plans that are regularly stress-tested.

There is tension for companies to disclose enough information for investors to understand whether the business is responding to and recovering from a material cyber incident without providing a roadmap to attackers or undermining law enforcement efforts. Furthermore, the cyber threat landscape has reached a new and dangerous stage in its evolution, with cybercrime expected to cost the world some US$8 trillion in 2023.ᶦ Our latest EY Global Information Security Survey (GISS) shows that 30% of senior cybersecurity leaders report that hackers are using new strategies that could potentially outsmart their defenses.

In addition to long-standing threats such as IP theft and ransomware, new technologies are dramatically affecting the cybersecurity landscape. ChatGPT reached 1 million users in five days, making it one of the fastest-growing online platforms in history. By comparison, the most popular social media platforms ranged anywhere from several months to years to reach that same milestone. But more importantly, it’s a signal of what’s to come: Generative artificial intelligence (AI) is poised to reshape our society. Not only are people adopting it in droves, but unlike social platforms, its business applications appear infinite. This technology is maturing fast, and real opportunities and risks for businesses are months, not years, away.

Despite these risks, 35% of board directors polled in an EY analysis say they lack an understanding of the AI-related risks their companies face. Organizations need a board-approved strategy on evolving technologies (e.g., generative AI).

Emerging technologies and existing cybersecurity risk management can often present competing challenges for management and the board’s attention. In a time of turbulence, boards have a critical role to play in strengthening risk management.

Having robust cyber-related disclosures informs shareholders of how the company is currently addressing the fast-paced challenges of cyber risk, including notifying them of cyber incidents, to help them make more informed investment decisions. Additionally, many organizations will need to comply with new regulations such as the U.S. Securities and Exchange Commission (SEC) recent final rules requiring disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.

In our latest analysis of cyber‑related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies, we found more companies providing information about board directors’ cyber-related skills and expertise and management’s reporting structure and frequency of reporting.

Our refreshed analysis of the proxy statements and 10‑K filings, the sixth in an annual series, was designed to identify emerging trends and opportunities for enhanced communication. We looked at filings from 75 Fortune 100 companies that filed during each fiscal year from 2018 through May 31, 2023. We cited sample language from their disclosures and examined the current US regulatory and public policy cyber landscape.

In July 2023, the SEC adopted rules that will, among other things, require cybersecurity incident reporting and disclosure by public companies about their cybersecurity risk management, strategy and governance. The rules require registrants to disclose the following information:

The disclosure of a material cybersecurity incident in Form 8‑K within four business days of determining that it is material, with a delay only when the U.S. Attorney General concludes that disclosure would pose a substantial risk to national security or public safety (registrants should take into consideration both quantitative and qualitative factors to determine whether an incident is material).
If any required information is not determined or is unavailable at the time the company prepares the Form 8-K, the company must file an amended Form 8-K containing such information within four business days after it determines such information, or the information becomes available.
The board’s role in overseeing risks from cybersecurity threats. Registrants are required to identify any board committee or subcommittee that oversees cybersecurity risks, if applicable, and describe the processes by which the committee is informed about such risks.
Their processes, if any, to assess, identify and manage risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. For example, a registrant is required to disclose whether and how any such processes have been integrated into its overall risk management system or processes.
Whether the registrant uses assessors, consultants, auditors or other third parties in connection with such processes, and whether it has processes in place to oversee and identify risks related to its use of third-party service providers.
Whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect its business strategy, results of operations or financial condition and if so, how.
Management’s role in assessing and managing material risks from cybersecurity threats, including whether certain management positions or committees are responsible for measuring and managing cybersecurity risk and their relevant expertise.
Registrants must also disclose the processes by which management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents, including whether management reports information about such risks to the board.

EY Center for Board Matters – Our latest thinking

EY Center for Board Matters. We support board members in their oversight role by helping them address complex boardroom issues. Find out more.
Read more

What we found

In comparing the proxy statements and Form 10-K filings of Fortune 100 companies over the past six years, we have seen steady and significant increases in the percentage of disclosures in certain categories of cyber management and oversight.

Providing insights into management reporting to the board and/or committee(s) overseeing cybersecurity matters had a disclosure rate of 87% in 2023, up from 55% in 2018. Identifying at least one point person responsible for reporting to the board, such as the CISO or chief information officer (CIO) was 57% this year, up from 23% in 2018.

Other areas of noteworthy increases in disclosure rates in the 2023 filings:

Frequency of management reporting to the board or committee(s) (83%, up from 37% in 2018)
Cybersecurity disclosed as an area of expertise sought on the board (61% in 2023, up from 20% in 2018)
Director cybersecurity skills and expertise in at least one director biography, for example, had a 68% disclosure rate in 2023, up from 33% in 2018
Use of an external independent advisor (now 45%, up from 15% in 2018)

A detailed analysis of the latest disclosures and in context of six-year trends follows. In certain key areas, we provide a comparison with the SEC rules, underscoring the gaps that some companies will need to address in their practices and disclosures.

Download the full report to see data from the past six years

PDF (2 MB)

Management reporting to the board

The new SEC rules require disclosing the processes by which the board or committee responsible is informed about cyber risks. Over time, we’ve seen disclosure enhancements regarding management reporting on such risks to the board. This year, 87% of companies provided insights into management reporting to the board and/or committee overseeing cyber matters, up from 55% in 2018.

While that change is notable, the real change we’re seeing is around who is providing that information and how often it is conveyed. In 2023, 57% identified at least one person who is reporting to the board on cybersecurity, most often the CISO or CIO, up from 23% in 2018. Similarly, 49% disclosed this year that management is reporting to the board on cybersecurity at least annually, with a number of companies reporting on a least a quarterly basis, up from 12% in 2018. Many other companies include language on the frequency of management reporting, but typically that language is not specific, alluding to reports to the board that occur “regularly” or “periodically.”

As the rules indicate, the Commission directs registrants to disclose management positions or committees responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise. Disclosing details of the frequency of reporting could be included as part of describing the processes by which the board or relevant committee is informed about cybersecurity risks.

Adding specificity to these disclosures may help stakeholders assess whether the board is engaging with the CIO, CISO or equivalent executive with an appropriate cadence to conduct its oversight. While it is common for either the CIO or CISO to routinely brief the board, in our discussions with directors, many indicate that they intentionally raise cyber risks in their interactions with other members of management. In doing so, directors invoke a heightened tone at the top and demonstrate that cyber is viewed as a critical enterprise risk that is ultimately owned by the businesses and touching key activities across the company, from M&A to product development to vendor management to human resources.

Board-level committee oversight

Under the final rule, the SEC requires companies to identify and disclose whether any board committee or subcommittee is responsible for cybersecurity oversight. In our research, 91% of companies this year charged at least one board‑level committee with cybersecurity oversight, up from 72% in 2018. Since 2018, we’ve observed an increase in boards assigning oversight to committees other than audit, most often risk or technology committees. This year, 31% of boards chose a committee other than audit, for primary or additional oversight, up from 19% in 2018. Among the boards making that choice, 86% added cyber responsibilities to the committee charter.

For now, at least, audit committees remain the primary choice to oversee cybersecurity risk. This year, 75% of the boards chose audit, up from 59% in 2018. Among the boards that chose the audit committee, 82% formalized that responsibility in the committee charter.

Identification of director skills and expertise

Although the final SEC rules do not require disclosing whether directors have expertise in cybersecurity, it represents one of the more significant shifts in disclosure rates that we’ve observed since initiating this analysis six years ago. In 2023, 61% of companies disclosed cybersecurity as an area of expertise sought on the board, up from 20% in 2018. More than two-thirds of the companies now cite cybersecurity experience in at least one director biography, up from 33% in 2018. Gartner predicts 70% of boards will include at least one member with cybersecurity experience by 2026.ᶦᶦ

A closer look at these changes over the past few years shows that, in most cases, the increases in director experience are related to most companies adding cyber‑related experience to longer‑standing board member bios, with some boards adding a new director with cybersecurity experience. The new arrivals have included former CIOs and senior information technology executives, the head of a cybersecurity company, and former leaders in federal intelligence agencies or the Department of Defense.

Alignment with an external framework or standard

The number of companies that disclosed the alignment of their cybersecurity program and information security practices with an external security process or control framework increased to 25% this year, up from just 1% in 2018. The framework of the National Institute of Standards and Technology (NIST) was cited by 16 companies, more than any other. Among the others referenced were the International Organization for Standardization (ISO) 27001 and HITRUST. A number of companies also disclosed that certain portions of their controls were covered by the American Institute of Certified Public Accountants (AICPA) System and Organization Controls for Service Organizations: Trust Services Criteria (SOC 2) service audit reports.

Compensation incentives

This year, we observed a modest increase in companies specifically disclosing performance related to cybersecurity or privacy issues as a consideration in determining executive pay. This year, 12% of companies did so, compared with zero in 2018. Nonetheless, companies generally cited cyber considerations (e.g., maintained strong cyber defense with no material business-impacting events amid a heightened cyber-threat environment) among a host of other nonfinancial company or individual performance considerations in executive pay decisions.

Response readiness simulations

The percentage of companies disclosing that they performed cyber incident simulations with management and/or the board remains low, increasing to 16% this year, from 3% in 2018. Of the companies that disclosed such exercises, several disclosed that the board participated, and one specified that the board actively participates in discussions and simulations of cybersecurity risks both internally and with law enforcement, government officials, and peer and industry groups. Rigorous simulations are critical risk preparedness practices that Ernst & Young LLP (EY) and others believe companies should prioritize.

If cybersecurity breach simulation plans are not practiced and a breach occurs, the reaction by the board and management is largely improvised. Well‑designed incident simulations can stress‑test the organization’s capabilities and improve readiness by providing clarity of roles, protocols and escalation processes. These simulations often include third parties (e.g., a public relations firm, forensic specialists, outside counsel and/or law enforcement as noted previously). Policies on ransomware should also be established ahead of time, including whether the company and board would approve payment and under what circumstances, as well as a full understanding of insurance contract terms and conditions. Management should conduct these exercises to test the company’s significant vulnerabilities and identify where the greatest financial impact could occur. Boards should consider participating in these simulations so that their insights and experiences can be incorporated to elevate the company’s ability to respond and recover.

Further, such exercises help companies develop and practice action plans related to data privacy issues. Cyber breaches can — and often do — result in the loss of personal data. These events require compliance with a host of complex state and federal laws (all of which call for prompt notice to states, regulators and affected persons), and may require compliance with the laws of non‑US jurisdictions. Regular practice is key to establishing effective preparation and responses.

Use of external independent advisor

Another component in the SEC rules requires registrants to disclose whether it uses assessors, consultants, auditors or other third parties in connection with its processes to assess, identify and manage risks from cybersecurity threats, and whether it has processes in place to oversee and identify risks related to its use of third-party service providers. In our analysis, the percentage of companies disclosing the use of an external independent advisor to support management on cybersecurity matters grew to 45% this year, from 15% in 2018. Among the companies that made the disclosure this time around, nine indicated that the board received reports from the independent third party. One company disclosed that the audit and compliance committee annually engages third parties (as well as the company’s internal audit department) to audit the company’s information security programs, whose findings are reported to the audit and compliance committee.

Disclosure of cyber incidents

There appears to be a gap between disclosures related to material cybersecurity incidents, including the depth of the disclosures, as compared with the number and scale of cyber incidents reported in the news media and third‑party reports. The 2023 Verizon Data Breach Investigations Report stated there were 5,199 confirmed data breaches between November 1, 2021 and October 31, 2022, from small to large organizations, but the report did not address the materiality of these breaches. Per research provided to EY researchers from Audit Analytics for the same time period, there were 57 cyber incidents reported to the SEC in a public filing.

The SEC’s rules require disclosure of a material cybersecurity incident in Form 8‑K within four business days of determining that it is material. The SEC states the information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material. If any required information is not determined or is unavailable at the time the company prepares the initial Form 8-K, the company must file an amended Form 8-K containing such information within four business days after it determines such information, or the information becomes available.

Disclosures to date range from stating the occurrence of an incident to providing a more in‑depth account, including the number of account holders affected; the nature of the data; costs and insurance offsets; and remedial steps taken to fix the security vulnerability.

The SEC is not the only corporate governance stakeholder seeking more disclosures about cyber incidents. In its Governance QualityScore rating solution, Institutional Shareholder Services (ISS)ᶦᶦᶦ includes 11 factors that address information security risk management and oversight. These factors include board members’ information security expertise; frequency of briefing the board on information security matters; whether the company maintains a cyber risk insurance policy; and the existence of, and financial impact from, recent security breaches.

Based on insights gained through engagement with directors, as well as what EY cybersecurity leaders have learned from assignments around the globe and across industries and company sizes, we have identified these 10 leading practices to help boards oversee cyber risk:

Elevate the tone. Establish cybersecurity as a key consideration in all board matters. If technology is a cornerstone of most business decisions, then cyber risk considerations should be part of board and management discussions about strategy, product and service growth plans, digital transformation and so on.
Stay diligent. Address new issues and threats stemming from remote work and the expansion of digital transformation. And remember that every employee needs to be diligent, too — 74% of breaches involve a human element, according to Verizon’s 2023 Data Breach Investigations Report, issued in June 2023.
Determine value at risk. Reconcile value at risk expressed in dollar terms against the board’s risk tolerance, including the efficacy of cyber insurance coverage. The NACD recently formed an alliance with X Analytics to help boards with easy-to-understand business metrics to support effective cyber-risk board oversight, including assigning dollar amounts to cyber risk.
Leverage new analytical tools. Such tools inform the board of cyber risks ranging from high‑likelihood, low‑impact events to low‑likelihood, high‑impact events (i.e., a “black swan” event).
Embed security from the start. Embrace a “secure by design” philosophy when designing new technology, products and business arrangements. In April 2023, The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and international partners published secure-by-design and -default principles and approaches.
Independently assess the company’s cybersecurity risk management program. Obtain a rigorous third‑party assessment of the company’s cyber risk management program (CRMP), including testing of critical systems and processes.
Evaluate third-party risk. Understand management’s processes to identify, assess and oversee the risk associated with service providers and third parties involved in your supply chain.
Test response and recovery. Enhance enterprise resilience by conducting rigorous simulations and arranging protocols with third‑party specialists before a crisis.
Understand escalation protocols. Have a defined communication plan for when the board should be notified, including incidents involving ransomware.
Monitor evolving practices and the regulatory and public policy landscape. Stay attuned to evolving oversight practices, disclosures, reporting structures, and metrics and understand implications for how the company is staying in compliance with requirements.

Takeaways for board oversight

To provide effective oversight, boards must be familiar with the risks that cybersecurity can bring. With the appropriate level of familiarity, boards can effectively monitor the extent of the risks and influence investment decisions in order to mitigate the risk presented by cybersecurity threats and to be prepared when cyber incidents do occur. Leading boards are focused on prioritizing cybersecurity oversight, asking probing questions, staying current on regulations and increasingly transparent and timely disclosures to inform shareholders how the company is addressing cybersecurity risk.

Download the full report to see sample language from public disclosures.

PDF (2 MB)

Is the board allocating sufficient time on its agenda, and is the committee structure appropriate, to provide effective oversight of cybersecurity disclosure requirements?
Does the company have a generative AI strategy?
How will the company use generative AI to challenge its existing business model? Does the company have a plan in place to mitigate AI risks?
Do the company’s disclosures effectively communicate the rigor of its cyber‑risk management program and related board oversight?
Has the board participated with management in one of its cyber breach simulations in the last year? How rigorous was the testing?
Have appropriate and meaningful cyber metrics been identified and provided to the board on a regular basis and given a dollar value?
What kind of threats is the company most concerned about? How does the company monitor the evolving threat landscape? Has the company been the target of a major cyber attack?
What information has management provided to help the board assess which critical business assets and partners, including third parties and suppliers, are most vulnerable to cyber attacks?
How does management evaluate and categorize identified cyber and data privacy incidents and determine which ones to escalate to the board?
What kind of policies has the company established on ransomware? How have the company and board approached the issue of payment?
Will new or pending privacy regulations and frameworks impact the organization’s strategy, competitive position, and business models and practices?
Has the board leveraged a third‑party assessment, as described in the NACD’s cyber‑risk oversight handbook, to validate that the company’s cyber risk management program is meeting its objectives? If so, is the board having direct dialogue with the third party related to the scope of work and findings? Has the board considered the value of obtaining a cybersecurity attestation opinion to build confidence among key stakeholders?

Reports from previous years

How cyber governance and disclosures are closing the gaps in 2022 [PDF]

Summary

Boards play an important role in overseeing enhanced disclosures that clarify the board’s oversight of cybersecurity risks and its competency to provide it. To better understand leading disclosure practices, this annual report from the EY Center for Board Matters provides an analysis of cyber‑related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies over the past six years. The research shows steady and significant increases in the percentage of disclosures in certain categories of cyber management and oversight.

About this article

Pat Niemann

EY Americas Audit Committee Forum Leader

Community champion. Family man. USC Trojan alum.

The CRO cyber risk agenda: What boards should be asking

The latest EY-IIF survey of banking CROs highlights the challenges of increasingly interconnected risks and where boards should engage.

05 Jun 2023 Steve Ingram + 1

How boards can prepare for a future in the metaverse

Find out what boards need to know about the strategic opportunities and risks associated with the metaverse, so they can provide effective oversight.

21 Mar 2023 Kris Pederson + 2

Why Gen Z matters and what boards should know

Find out what boards should be asking about this growing segment of the population and how their behaviors are already inciting great shifts for companies.

06 Dec 2022 Marcie Merriman + 1

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

Insights

Trending topics

Spotlight

Services

Spotlight

Careers

Spotlight

Industries

Case studies

About us

Spotlight

What cyber disclosures are telling shareholders in 2023

Related topics

CBM what cyber disclosures are telling shareholders in 2023 (PDF)

Investors need accurate and timely disclosures on cybersecurity risk governance and management to make informed decisions.

What we found