The EY Center for Board Matters has released How cybersecurity risk disclosures and oversight are evolving in 2021, its fourth annual analysis of cybersecurity-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies. EY reports that “[m]any companies are enhancing their cybersecurity disclosures related to the identification of director skills and expertise” and that there have also been “notable increases in disclosures related to the assignment of board-level committee oversight and discussing workforce education and training efforts and cybersecurity insurance.” EY found that 68 percent of Fortune 100 companies assign cybersecurity oversight to the audit committee – a one percent increase over 2020. Nine percent of the Fortune 100 disclosed a material cybersecurity incident, a decrease from 12 percent last year.
In general, cybersecurity disclosure trends identified in last year’s EY report continued in 2021. (For discussion of the prior EY Center report, see More Public Companies Are Disclosing the Board’s Cybersecurity Risk Oversight Role, September 2020 Update.) Key findings of the 2021 report include:
Identification of director skills and expertise. In 2021, 56 percent of the Fortune 100 cited cybersecurity in at least one director biography, up from 44 percent last year and 27 percent in 2018. In most cases, the increase resulted from new directors joining boards, not re-written bios.
Management reporting to the board. Sixty-nine percent of companies provided insights into management’s reporting to the board or to the committee overseeing cybersecurity matters, up from 61 percent last year and 58 percent in 2018. Forty-four percent identified at least one management official who engages in such reporting, most frequently the Chief Information Security Officer. Thirty-four percent disclosed that reporting occurs at least annually or quarterly.
Board-level committee oversight. Ninety percent of companies disclosed that at least one board-level committee has responsibility for cybersecurity oversight, up from 87 percent in 2020 and 75 percent in 2018. As noted above, the audit committee is the most frequent choice – 68 percent of boards assigned cybersecurity oversight to the audit committee. Thirty percent of boards assigned cyber to a committee other than audit, up from 19 percent in 2018. However, only about two thirds of the charters of audit committees with cybersecurity oversight responsibility expressly mention that responsibility.
Alignment with an external framework or standard. Ten percent of companies disclosed alignment of their cybersecurity program and information security practices with an external security process or control framework, up from one percent in 2018. Six percent cited the National Institute of Standards and Technology’s (NIST) cybersecurity framework, with smaller numbers citing various other frameworks.
Compensation incentives. Only 12 percent of these companies disclosed that cybersecurity or privacy is an ecutive pay consideration, up from 8 percent last year and one percent in 2018.
Response readiness simulations and tabletop exercises. Last year, 7 percent of companies disclosed that they performed cyber‑incident simulations (up from 3 percent in 2019). EY states that the percentage of companies disclosing such simulations in 2021 was “largely the same.” No company disclosed whether the board participated in the exercises.
Use of external independent advisor. Seventeen Fortune 100 companies disclosed management use of an external independent cybersecurity consultant. Five of these companies disclosed that the board received a report from the independent third party.
Based on dialogue with directors and cybersecurity experts, EY describes nine “leading board practices” with respect to cybersecurity:
Set the tone. Establish cybersecurity as a key consideration in all board matters.
Stay diligent. Address new issues and threats stemming from remote work and the expansion of digital transformation.
Determine value at risk. Reconcile value at risk in dollar terms against the board’s risk tolerance, including the efficacy of cyber insurance coverage.
Embed security from the start. Embrace a “trust by design” philosophy when designing new technology, products, and business arrangements.
Independently assess the cybersecurity risk management program. Obtain a third-party assessment of the cybersecurity risk management program with direct feedback to the board.
Understand escalation protocols. Include a defined communication plan detailing when the board should be notified, including ransomware incidents.
Manage third-party risk. Understand management’s processes to identify, assess and manage the risk associated with service providers and the supply chain.
Test response and recovery. Enhance enterprise resiliency by conducting rigorous simulations, including restoring off-site backups and testing recovery time and arranging protocols with third-party specialists before a crisis.
Monitor evolving practices and the regulatory and public policy landscape. Stay attuned to evolving oversight practices, disclosures, reporting structures, metrics, and regulatory and public policy developments.
The report concludes with a discussion of the U.S. public policy environment, including Executive Branch, Congressional, and SEC actions related to cybersecurity.
Comment: Cybersecurity disclosure also appears to be a priority of the new enforcement regime at the SEC. In a recent speech, the SEC’s Director of Enforcement, Gurbir Grewal, promised to continue to be “vigilant in * * * pursuing public companies that do not reasonably disclose material cybersecurity incidents. This includes charging public companies for misleading disclosures about cybersecurity events, or for inadequate controls related to such disclosures.” Audit committees should therefore be focused on the disclosures their company is making concerning both cybersecurity risk oversight and any breaches that may occur. If, in addition to disclosure, the audit committee is charged with oversight responsibility for cybersecurity, the EY Center’s best practices deserve consideration.