Blogs

ISS reported on its analysis of information security (IS) or cybersecurity risk-related disclosures among the S&P 500 and Russell 3000.

Among the key takeaways:

Risks & risk mitigation

• S&P 500—More than 80% of companies provided detailed disclosure of their IS risks and risk mitigation strategies or plans.
• Russell 3000—Nearly all R3000 companies disclosed at least a general approach to IS risk mitigation. Of those, the majority included detailed disclosure of their IS risks and risk mitigation strategies or plans.

Training 

• A majority of R3000 companies (excluding the S&P 500) and 85% of S&P 500 companies disclosed that they have an IS training program.
• IS training programs are most commonly disclosed outside the Form 10-K and proxy statement (e.g., sustainability reports, corporate website).

Insurance

• A majority of R3000 companies (excluding the S&P 500) (57%) and S&P 500 companies (67%) disclosed that they have IS risk insurance.
• The vast majority of companies that disclose IS risk insurance include this disclosure in their Form 10-K.

Director skills/expertise

• A majority of S&P 500 companies (54%), compared to 20% of  R3000 companies (excluding the S&P 500), have at least three directors with current or prior experience at a cybersecurity firm, a current or prior cyber-related role such as CIO or similar, an IS-related certification, or company-disclosed “cyber expertise.”
• 15% of S&P 500 companies, compared to 43% of R3000 companies (excluding the S&P 500), disclose zero directors with these qualifications.

Management briefings

• While a majority of S&P 500 companies disclose annual or more frequent IS briefings by management to the board or a board committee, a majority of R3000 companies (excluding the S&P 500) don’t disclose whether such briefings occur.

Breach disclosure

• More than 30% of S&P 500 companies and nearly 20% of Russell 3000 companies (excluding the S&P 500) disclosed an IS breach within the past three years.
• Costs and damages were described as immaterial for 85% of breaches reported by S&P 500 companies and 79% of breaches reported by Russell 3000 companies (excluding the S&P 500).

Incentive compensation

• At least 16 S&P 500 companies and 22 Russell 3000 companies (excluding the S&P 500) incorporate cybersecurity-related objectives into their annual or long-term executive pay.

See ISS’s release; our recent reports: “Board Cyber Expertise, Exposure: S&P 500,” “Benchmarking Cyber Expertise on the Board of Directors,” and “Issue-Expert Directors Don’t Make For a Qualified Board”; and additional resources on our Cybersecurity/Data Privacy page.

                This post first appeared in the weekly Society Alert!