Management reporting to the board
The new SEC rules require disclosing the processes by which the board or committee responsible is informed about cyber risks. Over time, we’ve seen disclosure enhancements regarding management reporting on such risks to the board. This year, 87% of companies provided insights into management reporting to the board and/or committee overseeing cyber matters, up from 55% in 2018.
While that change is notable, the real change we’re seeing is around who is providing that information and how often it is conveyed. In 2023, 57% identified at least one person who is reporting to the board on cybersecurity, most often the CISO or CIO, up from 23% in 2018. Similarly, 49% disclosed this year that management is reporting to the board on cybersecurity at least annually, with a number of companies reporting on a least a quarterly basis, up from 12% in 2018. Many other companies include language on the frequency of management reporting, but typically that language is not specific, alluding to reports to the board that occur “regularly” or “periodically.”
As the rules indicate, the Commission directs registrants to disclose management positions or committees responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise. Disclosing details of the frequency of reporting could be included as part of describing the processes by which the board or relevant committee is informed about cybersecurity risks.
Adding specificity to these disclosures may help stakeholders assess whether the board is engaging with the CIO, CISO or equivalent executive with an appropriate cadence to conduct its oversight. While it is common for either the CIO or CISO to routinely brief the board, in our discussions with directors, many indicate that they intentionally raise cyber risks in their interactions with other members of management. In doing so, directors invoke a heightened tone at the top and demonstrate that cyber is viewed as a critical enterprise risk that is ultimately owned by the businesses and touching key activities across the company, from M&A to product development to vendor management to human resources.
Board-level committee oversight
Under the final rule, the SEC requires companies to identify and disclose whether any board committee or subcommittee is responsible for cybersecurity oversight. In our research, 91% of companies this year charged at least one board‑level committee with cybersecurity oversight, up from 72% in 2018. Since 2018, we’ve observed an increase in boards assigning oversight to committees other than audit, most often risk or technology committees. This year, 31% of boards chose a committee other than audit, for primary or additional oversight, up from 19% in 2018. Among the boards making that choice, 86% added cyber responsibilities to the committee charter.
For now, at least, audit committees remain the primary choice to oversee cybersecurity risk. This year, 75% of the boards chose audit, up from 59% in 2018. Among the boards that chose the audit committee, 82% formalized that responsibility in the committee charter.
Identification of director skills and expertise
Although the final SEC rules do not require disclosing whether directors have expertise in cybersecurity, it represents one of the more significant shifts in disclosure rates that we’ve observed since initiating this analysis six years ago. In 2023, 61% of companies disclosed cybersecurity as an area of expertise sought on the board, up from 20% in 2018. More than two-thirds of the companies now cite cybersecurity experience in at least one director biography, up from 33% in 2018. Gartner predicts 70% of boards will include at least one member with cybersecurity experience by 2026.ᶦᶦ
A closer look at these changes over the past few years shows that, in most cases, the increases in director experience are related to most companies adding cyber‑related experience to longer‑standing board member bios, with some boards adding a new director with cybersecurity experience. The new arrivals have included former CIOs and senior information technology executives, the head of a cybersecurity company, and former leaders in federal intelligence agencies or the Department of Defense.
Alignment with an external framework or standard
The number of companies that disclosed the alignment of their cybersecurity program and information security practices with an external security process or control framework increased to 25% this year, up from just 1% in 2018. The framework of the National Institute of Standards and Technology (NIST) was cited by 16 companies, more than any other. Among the others referenced were the International Organization for Standardization (ISO) 27001 and HITRUST. A number of companies also disclosed that certain portions of their controls were covered by the American Institute of Certified Public Accountants (AICPA) System and Organization Controls for Service Organizations: Trust Services Criteria (SOC 2) service audit reports.
This year, we observed a modest increase in companies specifically disclosing performance related to cybersecurity or privacy issues as a consideration in determining executive pay. This year, 12% of companies did so, compared with zero in 2018. Nonetheless, companies generally cited cyber considerations (e.g., maintained strong cyber defense with no material business-impacting events amid a heightened cyber-threat environment) among a host of other nonfinancial company or individual performance considerations in executive pay decisions.
Response readiness simulations
The percentage of companies disclosing that they performed cyber incident simulations with management and/or the board remains low, increasing to 16% this year, from 3% in 2018. Of the companies that disclosed such exercises, several disclosed that the board participated, and one specified that the board actively participates in discussions and simulations of cybersecurity risks both internally and with law enforcement, government officials, and peer and industry groups. Rigorous simulations are critical risk preparedness practices that Ernst & Young LLP (EY) and others believe companies should prioritize.
If cybersecurity breach simulation plans are not practiced and a breach occurs, the reaction by the board and management is largely improvised. Well‑designed incident simulations can stress‑test the organization’s capabilities and improve readiness by providing clarity of roles, protocols and escalation processes. These simulations often include third parties (e.g., a public relations firm, forensic specialists, outside counsel and/or law enforcement as noted previously). Policies on ransomware should also be established ahead of time, including whether the company and board would approve payment and under what circumstances, as well as a full understanding of insurance contract terms and conditions. Management should conduct these exercises to test the company’s significant vulnerabilities and identify where the greatest financial impact could occur. Boards should consider participating in these simulations so that their insights and experiences can be incorporated to elevate the company’s ability to respond and recover.
Further, such exercises help companies develop and practice action plans related to data privacy issues. Cyber breaches can — and often do — result in the loss of personal data. These events require compliance with a host of complex state and federal laws (all of which call for prompt notice to states, regulators and affected persons), and may require compliance with the laws of non‑US jurisdictions. Regular practice is key to establishing effective preparation and responses.