U.S. companies have significantly ramped up cyber disclosure practices over the last six years, though a large gap remains between disclosed cyber incidents and those reported by third parties, according to a new Ernst & Young report.
The business consulting firm analyzed cyber-related disclosures in proxy statements and annual 10-K filings of Fortune 100 companies and found that more now provide insight into management reporting to their boards on cybersecurity matters, with a disclosure rate of 87% compared with 55% in fiscal year 2018. More organizations now also charge at least one board-level committee with cybersecurity oversight (91% vs. 72%) and identify at least one point person responsible for reporting to the board on cyber matters (60% vs. 23%).
“To provide effective oversight, boards must be familiar with the risks that cybersecurity can bring,” Ernst & Young wrote. “With the appropriate level of familiarity, boards can effectively monitor the extent of the risks and influence investment decisions in order to mitigate the risk presented by cybersecurity threats and to be prepared when cyber incidents do occur.
“Leading boards are focused on prioritizing cybersecurity oversight, asking probing questions, staying current on regulations and increasingly transparent and timely disclosures to inform shareholders how the company is addressing cybersecurity risk.”
It appears that companies still have room for improvement – and a lot of it – in other areas of cyber reporting. Perhaps the most significant is the disclosure of material cybersecurity breaches.
A 2023 Verizon data breach report noted there were about 5,200 confirmed data breaches between November 2021 and October 2022. Researchers from Audit Analytics found that, for the same period, organizations reported just 57 incidents to the U.S. Securities and Exchange Commission (SEC) in a public filing.
While not all of the 5,200 data breaches impacted public companies, recently passed SEC cyber-incident disclosure rules will require public companies to disclose all cybersecurity incidents within four business days of determining the event could have a material impact on financial performance.
Other noteworthy increases in disclosure rates include details on how frequently management reported to the board or committees (83% vs. 37% in 2018), cybersecurity listed as an area of expertise sought on the board (61% vs. 20%), cybersecurity expertise in at least one director biography (68% vs. 33%), and use of an external independent advisor (45% vs. 15%).
Adding details such as frequency of cyber reporting to board “may help stakeholders assess whether the board is engaging with the CIO, CISO or equivalent executive with an appropriate cadence to conduct its oversight.”
Ernst & Young noted in its discussions with directors, many indicate the company’s information chiefs “intentionally raise cyber risks in their interactions with other members of management.”
“In doing so, directors invoke a heightened tone at the top and demonstrate that cyber is viewed as a critical enterprise risk that is ultimately owned by the businesses and touching key activities across the company, from M&A to product development to vendor management to human resources.”
Company disclosures that they performed cyber-incident simulations with management or board members remained low, increasing to 16% from just 3% in 2018. Ernst & Young warned that if companies aren’t regularly practicing incident-response plans, when a breach occurs “the reaction by the board and management is largely improvised.” Management should conduct these exercises to test significant vulnerabilities and identify where the greatest impacts would occur.
“Rigorous simulations are critical risk preparedness practices that Ernst & Young LLP and others believe companies should prioritize,” it wrote.