EY’s Annual Cybersecurity Disclosure Analysis: Most Breaches Go Unreported
The EY Center for Board Matters (EY Center) has released How cyber governance and disclosures are closing the gaps in 2022, its annual analysis of cybersecurity-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies. The EY Center reports that “over the past five years, we have seen steady and significant increases in the percentage of disclosures in certain categories of cyber management and oversight.” However, the Center believes that, in one area, reporting is lagging: “There appears to be a gap between disclosures around material cybersecurity incidents, including the depth of the disclosures, as compared with the number and scale of cyber incidents reported in the news media and third-party reports.”
The EY Center reviewed reports of the 74 Fortune 100 companies that filed with the SEC from 2018 through May 31, 2022. In general, cybersecurity disclosure trends identified in last year’s EY report continued in 2022. (For discussion of the 2021 EY Center report, see EY Reports on the State of Cybersecurity Risk Disclosure, September-October 2021 Update.) Key 2022 findings include:
Ninety-five percent of the surveyed companies disclosed a focus on cybersecurity in the risk oversight section of the proxy statement, up from 76 percent in 2018.
Seventy-four percent of the companies provided insights into management reporting to the board or to committees overseeing cybersecurity matters, up from 54 percent in 2018. Sixty-eight percent discussed the frequency of such reporting, compared to 36 percent in 2018. In addition, 39 percent disclosed that management reports to the board on cybersecurity at least annually or quarterly; only 11 percent did so in 2018.
More than half of the companies cited cybersecurity experience in at least one director biography, up from 28 percent in in 2018. Further, 46 percent disclosed cybersecurity as an area of expertise sought on the board.
Forty-nine percent identified at least one cybersecurity point person (e.g., the chief information security officer or the chief information officer) who reports to the board. Twenty-three percent identified such a person in 2018.
Fifty-one percent reported maintaining cybersecurity insurance, compared to 31 percent in 2018.
Only 9 percent of the Fortune 100 companies reviewed disclosed performing cyber tabletop exercises and response readiness simulations. Three percent reported such exercises and tests in 2018. (In a 2021 EY survey of board members, 86 percent said their board had not participated in a breach or ransomware simulation exercise in the last 12 months.) The EY Center strongly recommends that companies engage in such simulations. “If cybersecurity breach simulation plans are not practiced and a breach occurs, the reaction by the board and management is largely improvised. Well-designed incident simulations and tabletop exercises can stress-test the organization and improve readiness by providing clarity of roles, protocols and escalation processes * * * .”
Cybersecurity risk is typically an audit committee responsibility. The EY Center found that 70 percent of the Fortune 100 companies reviewed assign cybersecurity oversight to the audit committee – a slight increase over 2021 and up from 57 percent in 2018. Sixty-nine percent of those companies formalized the audit committee’s cyber responsibility in the committee charter.
As noted above, the EY Center believes that many cybersecurity breaches are not disclosed. The report states that only 40 of the 74,098 Form 8-K filings in 2020 reported material cybersecurity incidents. In contrast, the 2020 Verizon Data Breach Incident Report stated there were 3,950 confirmed data breaches in 2020 (Verizon did not address the materiality of these breaches). The EY Center report also quotes a government official as opining that only about a quarter of ransomware intrusions are reported.
Based on EY’s work in this field, the report lists ten “leading practices” in board cyber risk oversight. These practices, which are similar to the nine leading board practices in last year’s report, are:
Elevate the tone. Establish cybersecurity as a key consideration in all board matters.
Stay diligent. Address new issues and threats stemming from remote work and the expansion of digital transformation. And remember that every employee needs to be diligent, too — 82% of breaches involve a human element, according to Verizon’s 2022 Data Breach Incident Report, issued in late May.
Determine value at risk. Reconcile value at risk in dollar terms against the board’s risk tolerance, including the efficacy of cyber insurance coverage.
Leverage new analytical tools. Such tools inform the board of cyber risks ranging from high-likelihood, low-impact events to low-likelihood, high-impact events (i.e., a black swan event).
Embed security from the start. Embrace a “trust by design” philosophy when designing new technology, products, and business arrangements.
Independently assess your program. Obtain a rigorous third‑party assessment of your cyber risk management program (CRMP).
Evaluate third-party risk. Understand management’s processes to identify, assess and oversee the risk associated with service providers and third parties involved in your supply chain. Supply chains were responsible for 62% of system intrusion incidents in 2021, according to Verizon’s 2022 Data Breach Incident Report.
Test response and recovery. Enhance enterprise resilience by conducting rigorous simulations and arranging protocols with third-party specialists before a crisis.
Understand escalation protocols. Have a defined communication plan for when the board should be notified, including incidents involving ransomware.
Monitor evolving practices and the regulatory and public policy landscape. Stay attuned to evolving oversight practices, disclosures, reporting structures and metrics.
The report also discusses public policy developments affecting cyber defenses, risk, and breach disclosure. One of the themes of the report is that the SEC’s proposed cybersecurity rules will have a significant impact on future disclosure. Among other things, the SEC proposals would require reporting within four business days of a material cybersecurity incident and periodic reporting of a company’s cybersecurity risk management, strategy, and governance. The SEC has indicated that it plans to finalize these proposals in early 2023. See SEC Proposes Cyber Risk Management and Attack Reporting Requirements, March 2022 Update. The EY Center reviews various other government actions related to cybersecurity, including passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022. See New Legislation Requires Cyber Incident Reporting, March 2022 Update.
Comment: Cybersecurity risk and related disclosures should be on the agenda of all audit committees. Even in those cases where the audit committee is not charged with substantive responsibility for cyber risk, disclosure related to strategy and any breaches would fall within the scope of the committee’s oversight. The Appendix to the report contains a compilation of sample cybersecurity disclosures from public filings. These examples are worth reviewing to understand how other companies are approaching disclosure in this area.
In the next six months the SEC is likely to adopt both its proposed climate change disclosure rules and its cybersecurity reporting proposals. The EY Center observes that it will be challenging for audit committees to “absorb both incremental cyber and ESG reporting obligations and governance responsibilities.” As to cyber, the Center’s advice is to begin now: “Although the proposed SEC rules would formalize the timing and specify the content and location of cybersecurity disclosures by companies, the opportunity remains for registrants to not wait for the rules to become final or to limit themselves to doing only what is required. In other words, an opportunity is at hand to strengthen disclosures to demonstrate accountability and engagement, and to build stakeholder trust around how cybersecurity is prioritized, managed and overseen as a critical enterprise risk and strategic function.”