Tapping into a topic of great interest to companies, investors, and regulators, EY's fifth annual review of 74 Fortune 100 proxy statement and Form 10-K disclosures (filings through May 31, 2022) on board cybersecurity oversight, cybersecurity and data privacy risks, and cybersecurity risk management these and other noteworthy findings for 2022:
Board Oversight
- 61% of companies (compared to 65% in 2021 and 35% in 2018) included cybersecurity expertise among the director qualifications sought on the board or possessed by at least one director, and 51% of companies (compared to 55% last year and 28% in 2018) included cybersecurity expertise in at least one director biography.
- 88% of companies disclosed that at least one board-level committee was charged with cybersecurity oversight: 70% disclosed audit committee oversight (memorialized in the audit committee charter by 69% of those companies); 28% disclosed non-audit committee oversight (memorialized in the relevant committee charter by 86% of those companies).
- 74% of companies (compared to 65% last year) provided insights into their management's reporting to the board and/or committee(s) responsible for cybersecurity oversight; 49% identified at least one "point person(s)" (most commonly the CISO or CIO), compared to 41% that did so in 2021.
- 68% of companies (compared to 54% in 2021) included language on the frequency of management reporting to the board or committee(s); 39% disclosed the reporting frequency (at least annually or quarterly), compared to 31% that did so last year.
Cybersecurity / Data Privacy Risk
- As has been the case in prior years, all companies included cybersecurity as a risk factor and 99% included data privacy as a risk factor.
Risk Management
- 99% of companies referenced efforts (e.g., processes, procedures, systems) to mitigate cybersecurity risk.
- 66% of companies referenced response readiness, such as planning, disaster recovery, or business continuity considerations.
- 51% of companies (compared to 43% last year and 31% in 2018) disclosed that the company maintains cybersecurity insurance.
- 45% of companies (compared to 36% last year and 18% in 2018) disclosed utilizing education and training to mitigate cyber risks.
- 28% of companies disclosed use of an external independent advisor, and 7% disclosed board engagement with an external independent advisor (compared to 22% and 7% last year, respectively).
The report includes: (i) 5-year trend data; (ii) sample disclosures on board oversight, board cyber qualifications, response readiness and tabletop exercises, use of external independent advisor and board engagement, and alignment with external framework or standard; (iii) links to a “best practice model” cybersecurity committee charter and a corporate security report; (iv) ISS’s Governance QualityScore cyber risk factors; (v) an instructive list of leading oversight practices the firm has identified based on its director engagements and worldwide practice; and (vi) an overview of relevant regulatory initiatives.
Access additional information & resources on our Cybersecurity and Proxy pages.
This post first appeared in the weekly Society Alert!