What are companies disclosing about their efforts to oversee cybersecurity risk? In this article, Ernst & Young analyzes cybersecurity-related disclosures in the proxy statements and Forms 10-K of Fortune 100 companies from 2018 to 2019, focusing on disclosure regarding board oversight, cybersecurity risk and risk management. Building on its similar analysis conducted for 2018 (see this PubCo post), EY detected “modest” enhancements in disclosures compared to the prior year—most significantly regarding board oversight practices—although the depth, detail and company-specificity of the disclosures continued to vary widely. Nevertheless, based on its observations of companies’ activities in the market, EY found that even these enhanced disclosures sometimes failed to capture all of a company’s oversight activities, such as third-party independent assessments or tabletop exercises designed to enhance preparedness. Given that many stakeholders have interests in cybersecurity risk preparedness and board oversight, EY advises, enhanced disclosure can serve to build “stakeholder confidence and trust as the cybersecurity risk landscape evolves and as technological innovations raise the stakes for data privacy and protections.”
Leading board practices. Based on its market observations, EY identified the following as leading practices for cybersecurity risk oversight by the board:
- “Having unfiltered board discussions with the chief information security officer (CISO) in executive sessions
- Gaining insights into how management is validating the operational effectiveness of its cybersecurity risk management program
- Regularly infusing cyber in boardroom conversations with all C-suite executives and division leaders to help create accountability for their role in supporting the cybersecurity environment
- Asking questions about cybersecurity impacts when contemplating any new product, initiative, partnership or business deal, and overseeing that cyber resiliency is embedded into the foundation of company practices and process (i.e., trust by design)
- Upskilling the full board via concentrated cybersecurity education and periodic training sessions with outside experts, certification courses and peer-to-peer director exchanges
- Overseeing that a third party is periodically evaluating the design and effectiveness of the company’s cybersecurity risk management program, and engaging directly with that third party to help challenge internal bias
- Overseeing, and periodically participating in, tabletop exercises and simulations as part of the company’s cybersecurity incident response and recovery planning.”
Institutional investor viewpoint. For this year’s report, EY also spoke with governance specialists at a number of institutional investors; 61% identified cybersecurity as a key risk, specifically expressing interest in whether oversight was delegated to a committee or the responsibility of the full board, how directors were getting up to speed on cyber issues, management-to-board reporting relationships, how management is addressing risk, data privacy issues and regulatory compliance.
2019 analysis. EY’s analysis studied cybersecurity disclosures in the 10-Ks and proxy statements of Fortune 100 companies (82 companies that had filed as of September 5, 2019), looking at
- “Board oversight, including risk oversight approach, board-level committee oversight, and director skills and expertise
- Statements on cybersecurity risk
- Risk management, including cybersecurity risk management efforts, education and training, engagement with outside security experts, and use of an external advisor”
Board Oversight. EY reported that the percentage of companies that disclosed a focus on cybersecurity in the risk oversight section of their proxy statements grew from 80% to 89% this year, but the extent of these disclosures was highly variably. In some cases, EY reported, cybersecurity was just identified among a number of risks subject to board risk oversight. In other cases, companies provided more detail regarding the exercise of board cybersecurity risk oversight, including the frequency of management reporting to the board, who among management did the reporting and some of the specific topics discussed.
In addition, 84% of companies disclosed that cybersecurity oversight had been delegated to at least one board committee, compared to 78% last year. Almost two-thirds of companies (65%) disclosed that oversight was assigned to the audit committee, compared to 62% last year, and 28% disclosed oversight by another committee (either alone or in addition to the audit committee), up from 21% in 2018. Ten percent disclosed that oversight responsibility remained with the full board.
In a significant jump up, just over half (54%) included cybersecurity as an area of expertise sought on the board or cited in a director biography, compared to 40% in 2018. More specifically, EY reported that, in 2019, 33 companies cited cybersecurity in the biography of at least one director, an increase from 25 companies in 2018, although, EY acknowledged, the meaning of that data was “difficult to interpret. For example, a few companies explicitly cited cybersecurity experience in certain director biographies one year but not the other. In sum, the disclosures may at least indicate that companies are paying more attention to noting director experience or expertise in cyber.” In addition, 54% provided insights into management’s reporting to the board in 2019, fairly level compared to 53% last year. The percentage of companies that identified at least one “point person” from management (e.g., the CISO or the chief information officer) who reported to the board grew from 26% in 2018 to 33% in 2019. Last year, 39% disclosed, albeit sometimes vaguely, the frequency of management reporting on cybersecurity to the board, increasing to 43% this year.
Statement on Cybersecurity risk. All of the companies identified cybersecurity as a risk factor in both years.
Risk Management. In 2019, the vast majority (89%) of companies disclosed efforts to mitigate cybersecurity risk, such as the establishment of processes, procedures and systems, up from 82% last year. In 2019, 26% disclosed efforts to mitigate risk through education and training, up from 18% in 2018. The percentage that disclosed use of an external independent advisor actually declined slightly in 2019 to 12% from 13% in 2018. However, EY notes, in 2019, only one of these companies stated that the board engaged in a direct dialogue with the advisor, and there was no discussion of the scope of the assessment or whether the advisor provided an attestation using the AICPA framework.
Slightly over half (55%) discussed response planning, disaster recovery or business continuity issues in 2019, an increase from 49% in 2018. In both years, only 9% indicated that preparedness included simulations, tabletop exercises, response readiness tests or, in most cases, independent assessments. However, EY notes that it is “routinely observing in the market” the performance of activities such as independent assessments and tabletop exercises, and is a strong advocate for simulations:
“Simulations are a critical risk preparedness practice that EY and others believe boards should prioritize. Among other critical benefits, such exercises help companies develop and practice action plans related to data privacy issues. Cyber breaches can—and often do—result in the loss of personal data. These events require compliance with a host of complex state and federal laws (all of which call for prompt notice to states, regulators and affected persons), and may require compliance with the laws of non-US jurisdictions. Preparation is key to promoting compliance. If companies are performing cybersecurity breach simulations, they should, as a best practice, disclose that, and if not, boards should make this an agenda item in the near term.”
Board recommendations. From prior engagement with groups of directors, EY highlighted two board recommendations regarding cybersecurity: Boards need to “[s]et the tone that cybersecurity is a critical business issue,” and “[s]tay attuned to evolving board and committee cybersecurity oversight practices and disclosures, including asking management for a review of the company’s cybersecurity disclosures with peer benchmarking over the last two to three years.”
In addition, EY identified the following as questions for the board:
- “Is the board allocating sufficient time on its agenda, and is the committee structure appropriate, to provide effective oversight of cybersecurity?
- Do the company’s disclosures effectively communicate the rigor of its cybersecurity risk management program and related board oversight?
- Is the board communicating with C-suite executives beyond the CISO to gain insights into potential business impacts of cyber incidents, and how cybersecurity governance is integrated across all divisions?
- What resources is the board using to enhance its competency on cybersecurity topics and understand emerging threats?
- How is the board getting a pulse on the company’s culture with respect to cybersecurity?
- Does management reporting to the board include: (1) metrics that report on the health of the cybersecurity risk management program, including visibility into the effectiveness of the program, and (2) the results of cyber breach simulations? Does the board periodically participate in those drills?
- Does the board understand the scope of work performed through any independent third-party assessments, and is the board having direct dialogue with that third party?
- Has the board considered the value of obtaining a cybersecurity attestation opinion to build confidence among key stakeholders?”