What are companies disclosing about their efforts to oversee cybersecurity risk? In this article, Ernst & Young analyzes cybersecurity-related disclosures in the proxy statements and Forms 10-K of Fortune 100 companies from 2018 to 2019, focusing on disclosure regarding board oversight, cybersecurity risk and risk management. Building on its similar analysis conducted for 2018 (see this PubCo post), EY detected “modest” enhancements in disclosures compared to the prior year—most significantly regarding board oversight practices—although the depth, detail and company-specificity of the disclosures continued to vary widely. Nevertheless, based on its observations of companies’ activities in the market, EY found that even these enhanced disclosures sometimes failed to capture all of a company’s oversight activities, such as third-party independent assessments or tabletop exercises designed to enhance preparedness. Given that many stakeholders have interests in cybersecurity risk preparedness and board oversight, EY advises, enhanced disclosure can serve to build “stakeholder confidence and trust as the cybersecurity risk landscape evolves and as technological innovations raise the stakes for data privacy and protections.”
In Senate testimony, SEC Chair offers insights into his thinking on a variety of issues before the SEC
In testimony last week before the Senate Committee on Banking, Housing and Urban Affairs, SEC Chair Jay Clayton gave us some insight into his thinking about a number of issues, including cybersecurity at the SEC, cybersecurity disclosure, the regulatory agenda, disclosure effectiveness, the shareholder proposal process, climate change disclosure, conflict minerals, compulsory arbitration provisions, stock buybacks, the decline in IPOs and overregulation (including some interesting sparring with Senator Warren). Whether any of the topics identified as problematic result in actual rulemaking—particularly in an administration with a deregulatory focus—is an open question.