In this report, EY discusses an analysis it conducted of voluntary cybersecurity-related disclosures in the 10-Ks and proxy statements of Fortune 100 companies (79 companies that had filed as of September 1, 2018). The analysis notes that, not only are regulators focused on cybersecurity risk management and disclosure, but investors consider cybersecurity risk management as critical to the board’s risk oversight responsibilities and boards are increasingly engaged on the topic. The analysis found a wide variation in the depth and nature of the disclosures.
The EY analysis looked at the following topics:
- “Board oversight including risk oversight approach, board-level committee oversight, director qualifications, management reporting structure and management reporting frequency
- Statements on cybersecurity risk and strategy, including disclosure of related strategy-focused language, shareholder engagement and risk factors
- Risk management, including cybersecurity risk management efforts or program, education and training, engagement with outside security experts and use of an external advisor”
Board Oversight. EY reports that most companies (84%) identified cybersecurity as a risk subject to board and committee oversight, typically the audit committee (70%). However, the nature and frequency of management reporting to the board or committee were disclosed less frequently. Cybersecurity expertise was identified by 41% of companies as a key qualification for director considered by the board, although the disclosure did not typically identify which directors were viewed to have that expertise, and the nature of “expertise” varied widely.
Strategy Statement/Risk Factor. Only 14% of companies “highlighted in their proxy that cybersecurity is a current or emerging strategic focus, or state that data privacy is central to the company’s purpose and core values.” And cybersecurity was disclosed as a topic for engagement with shareholders for only 6% of the companies, although EY observes that those disclosures tend to be more high level and, as a result, may not capture all engagement topics. In contrast, all companies discussed cybersecurity in their risk factors, with a full 92% using a separate caption to highlight the issue.
Risk Management. Disclosures regarding risk management varied widely, but, according to EY, few companies went into much detail. With regard to risk mitigation efforts, 71% disclosed actions such as investments in personnel, training and development of processes and procedures; 30% discussed response planning, disaster recovery or business continuity; 15% discussed education and training; 14% disclosed engagement of an independent third-party advisor; 5% disclosed peer or industry group collaborations; and only 3% discussed simulations, exercises or readiness testing.
EY identifies the following as questions for the board:
- “Has the board formally assigned responsibility on cybersecurity matters—at the board and management levels?
- Does the board have access to the needed expertise on cybersecurity? And is the board getting regular updates and reports concerning cybersecurity risk strategy and event preparedness?
- Does the board have regular briefings on the evolving cybersecurity threat environment and how the cybersecurity risk management program is adapting? How is the board actively overseeing the company’s investments in new cybersecurity technologies and solutions?
- Does the board know how management has performed in recent tabletop exercises simulating cybersecurity incidents—and has the board participated in any such exercises?
- Is the board hearing directly from and having a dialogue with third-party experts whose views are independent of management?
- How will the SEC guidance and investor interest impact 2019 disclosures?”