The largest U.S. companies are disclosing more information about cybersecurity. That is the central finding of the 2024 edition of the EY Center for Board Matters’s annual analysis of Fortune 100 company cybersecurity disclosures. Cyber disclosures: what companies shared about cyber risks in 2024 reports that every aspect of cybersecurity disclosure EY tracks has increased since 2018. Other findings include:
Audit committees continue to oversee cyber. Eighty-one percent of Fortune 100 companies report that the audit committee has cybersecurity oversight responsibility, up from 61 percent in 2018. Thirteen percent assign cyber risk to a stand-alone risk committee, and 10 percent to a technology committee. (Some companies assign cyber risk to several committees.)
Cyber expertise is in demand. Seventy-two percent of companies report seeking board-level cyber expertise. Almost the same percentage -- 71 percent – disclose cybersecurity background in at least one director biography, up from 34 percent in 2018.
Dedicated cyber risk experts are engaging with the boardroom. Seventy percent of companies report that the Chief Information Security Officer provides the board with cyber risk information, up from 9 percent in 2018.
Dedicated board time on cyber. Fifty-seven percent of the 100 companies report that the board meets with management on cybersecurity at least annually or quarterly. This is more than four times the level of similar disclosure in 2018.
Preparedness exercises are common. Forty-seven percent of the companies report performing simulations, tabletop exercises, or response readiness tests, up from 3 percent in 2018.
EY also discusses the increase in cyber risk and attack sophistication. The report points out that, in 2023, cyber threat complaints to the FBI increased 10 percent and cyber attack losses increased 22 percent (to $12.5 billion annually). Thirty-two percent of cyber incidents involved an extortion scheme, such as ransomware. Company employees are a major source of vulnerability – more than two-thirds of breaches include employee involvement, such as phishing, behavior manipulation, or other methods to obtain and exploit employee credentials.
EY’s report lists ten leading practices in board cyber risk oversight, including actions the board could take and questions to consider concerning each practice. EY also presents sample language from public cyber disclosures on such topics as board cyber expertise, board oversight activities, and response readiness.
The report concludes with this takeaway:
"Leading boards prioritize cybersecurity oversight by embedding it in all appropriate board-level conversations, remaining engaged with a variety of voices from management and external experts, ensuring that relevant skills are in or accessible to the board room, and engaging in response exercises — and incorporating lessons learned into company playbooks. Further, they stay current on the evolving regulatory environment and are increasingly transparent and timely in their cyber disclosures about how the company is identifying and addressing key cybersecurity risks.”
Many audit committees play a central role in cybersecurity oversight. See CAQ and IAA: Companies are Saying More About Their Board’s Cyber and ESG Expertise in this Update. Committees with responsibility in this area may find it helpful to review EY’s report, especially the leading practices it describes and the related questions to consider.
コメント