The EY Center for Board Matters (EY Center) has released its third annual analysis of cybersecurity-related disclosures by Fortune 100 companies. The report, What companies are sharing about cybersecurity risk and oversight in 2020, states that the most significant disclosure changes in 2020 were in the area of board oversight. Board-level oversight responsibility is usually assigned to the audit committee. While there is a trend to more disclosure concerning cybersecurity oversight, the EY Center notes the “continued scarcity of disclosures related to cyber-readiness simulations and the use of independent third-party advisors.”
Similar to its approach to audit committee disclosure (see Voluntary Audit Committee Disclosures Continue to Increase – But Only Slightly, above) the EY Center reviewed the disclosures of the 76 Fortune 100 companies that filed annual Form 10-Ks with the SEC between 2018 and May 31, 2020. Highlights of its findings include:
Board-level committee oversight. Eighty-seven percent of the companies have a one board-level committee with responsibility for cybersecurity oversight (up from 82 percent in 2019 and 74 percent in 2018). Sixty-seven percent of boards assign cybersecurity oversight to the audit committee (up from 62 percent in 2019 and 59 percent in 2018). Twenty-six percent of companies assigned cybersecurity oversight to a committee other than audit (e.g., risk or technology committees), down from 28 percent in 2019. Seven percent of boards assigned cybersecurity to both the audit committee and another committee.
Identification of director skills and expertise. In 2020, 58 percent of these companies disclosed that they included cybersecurity as an area of expertise sought on the board or cited such expertise in at least one director biography (up from 51 percent last year and 39 percent in 2018).
Management reporting. Sixty-one percent of the 76 Fortune 100 companies “provided insights” into management reporting to the board and/or committees overseeing cybersecurity. Thirty-three percent identified a management cybersecurity point person (e.g., the Chief Information Security Officer). Forty-seven percent include disclosure concerning the frequency of management reporting to the board or committees, although the EY Center found that “most of this language was vague.”
Risk factor disclosure. As in the past two years, all companies included cybersecurity as a risk factor, and data privacy was a risk factor for 99 percent. The report states that “a quarter (24 percent) focused on data privacy as a stand‑alone risk factor, often noting increasingly complex and changing data privacy regulations that create high financial and legal exposure in addition to the reputational and operational risks involved.”
Compensation incentives. Only 5 percent of these companies disclosed that they included cyber-security in executive pay considerations, generally as a qualitative factor considered in connection with annual incentive pay.
Response readiness simulations and tabletop exercises. As noted above, only 7 percent of the companies disclosed that they performed cyber‑incident simulations (up from 3 percent in 2019). The report states: “Simulations are a critical risk‑preparedness practice that EY leaders and others believe companies should prioritize. * * * Management should conduct these exercises to test the company’s significant vulnerabilities and where the greatest financial impact is at stake. Boards should consider participating in at least one of these simulations annually.”
Use of external independent advisor. Twelve companies disclosed management use of an external independent cybersecurity consultant, the same number as last year. Four of these companies disclosed that the board met directly with the independent third party.
Based on dialogue with directors and cybersecurity experts, the report lists “leading board practices” with respect to cybersecurity and concludes with a series of questions for board consideration:
Is the board allocating sufficient time on its agenda, and is the committee structure appropriate, to provide effective oversight of cybersecurity?
Do the company’s disclosures effectively communicate the rigor of its cybersecurity risk management program and related board oversight?
What information has management provided to help the board assess which critical business assets and critical partners, including third parties and suppliers, are most vulnerable to cyber attacks?
Have appropriate and meaningful cyber metrics been identified and provided to the board on a regular basis and given a dollar value?
How does management evaluate and categorize identified cyber and data privacy incidents and determine which to escalate to the board?
Has the board leveraged a third-party assessment, as described in the NACD’s Cyber-Risk Oversight 2020 handbook, to validate the cybersecurity risk management program is meeting its objectives? If so, is the board having direct dialogue with the third party related to the scope of work and findings?
Has the board participated with management in one of its cyber breach simulations in the last year?
Has the board considered the value of obtaining a cybersecurity attestation opinion to build confidence among key stakeholders?
Comment: Audit committees should focus on both the disclosure their company is making concerning cybersecurity risk oversight and the substance of the company’s cyber risk mitigation program. As to disclosure, committees should consider whether the company’s disclosures effectively communicate the risk management program and the related board oversight. The EY Center recommends that the objective of this disclosure be to build “stakeholder trust around how cybersecurity is prioritized, managed and overseen.” The EY Center’s suggestions as to the substance of the cyber risk effort also deserve consideration, particularly those relating to the use of outside advisors, periodic cyber‑incident simulations, and board participation in such exercises.