Tapping into a topic of great interest to companies, investors and regulators, EY's third annual review of 76 Fortune 100 company proxy statement and Form 10-K disclosures (filings from 2018 through May 31, 2020) on board cybersecurity oversight, cybersecurity and data privacy risks, and cybersecurity risk management, revealed these and other noteworthy findings:
- Board Oversight:
- 58% of companies in 2020 included cybersecurity expertise among the director qualifications sought on the board or possessed by at least one director, compared to 51% citing this qualification in a director biography last year.
- 87% in 2020 disclosed that at least one board-level committee was charged with cybersecurity oversight: 67% disclosed audit committee oversight; 26% disclosed non-audit focused committee oversight - most commonly, a risk or technology committee.
- Among the boards assigning cybersecurity oversight responsibilities to the audit committee or a non-audit committee, 65% and 85% formalize those responsibilities in the audit committee's or non-audit committee's charters, respectively.
- 61% in 2020 provided insights into management reporting to the board and/or committee(s) responsible for cybersecurity oversight; 33% identified at least one "point person(s)" (e.g., the CISO or CIO).
- 47% in 2020 included language (typically vague) on the frequency of management reporting to the board or committee(s); 17% disclosed the reporting frequency of at least annually or quarterly.
- Cybersecurity / Data Privacy Risk:
- As has been the case in prior years, all companies included cybersecurity as a risk factor consideration.
- Nearly all (99%) included data privacy as a risk factor.
- Risk Management:
- 92% in 2020 referenced efforts (e.g., processes, procedures, systems) to mitigate cybersecurity risk.
- 29% in 2020 disclosed utilizing education & training to mitigate cyber risks.
- 16% in 2020 disclosed use of an external independent advisor, and 5% disclosed board engagement with an external independent advisor.
The report includes 3-year trend data; sample disclosures on management reporting structure and frequency, response readiness and tabletop exercises, and the use of independent advisors; sample committee charter language on key cybersecurity oversight responsibilities; an instructive list of leading oversight practices the firm has identified based on its director engagements and worldwide practice; and investor perspectives on portfolio company cyber risk management & oversight.
Access additional information & resources on our Cybersecurity and Proxy pages. This post first appeared in the weekly Society Alert!