Tapping into a topic of great interest to companies, investors, and regulators, EY's annual review of 80 Fortune 100 proxy statement and Form 10-K voluntary disclosures (filings through July 31, 2025) on board cybersecurity and AI oversight reveals these and other noteworthy findings for 2025:
Artificial Intelligence
Board Oversight
- 44% of companies (compared to 26% in 2024) included AI expertise among the director qualifications sought on the board (15%) or possessed by at least one director (35%).
- 40% of companies (compared to 11% in 2024) disclosed that at least one board-level committee was charged with cybersecurity oversight, with 21% disclosing audit committee oversight and 25% disclosing oversight by a non-audit committee.
- 16% of companies (compared to 6% in 2019) provided insights into their management's reporting to the board and/or committee(s) responsible for AI oversight.
- 8% of companies identified at least one management role (e.g., CISO or CTO) providing AI insights to the board, compared to 4% in 2024.
- 9% of companies (compared to 5% in 2024) included language on the frequency of management reporting to the board or committee(s).
Risk Management
- 25% of companies (compared to 11% in 2024) disclosed use of AI frameworks, principles, or guidelines.
- 21% of companies addressed AI in their shareholder engagement, compared to 11% in 2024.
- 13% of companies disclosed utilizing AI education and training (compared to 5% in 2024).
- Up from 25% in 2024, 31% of companies included AI as a consideration in their executive compensation.
Cybersecurity
Board Oversight
- 86% of companies (compared to 53% in 2019) included cybersecurity expertise among the director qualifications sought on the board (73%) or possessed by at least one director (74%).
- 96% of companies disclosed that at least one board-level committee was charged with cybersecurity oversight, with 78% disclosing audit committee oversight and 35% disclosing oversight by a non-audit focused committee (e.g., risk, technology, compliance).
- 100% of companies (compared to 57 in 2019) provided insights into their management's reporting to the board and/or committee(s) responsible for cybersecurity oversight.
- 89% of companies identified at least one management role (e.g., CISO or CIO) providing cybersecurity insights to the board, compared to 27% that did so in 2019.
- 99% of companies (compared to 44% in 2019) included language on the frequency of management reporting to the board or committee(s); 60% disclosed a reporting frequency of at least annually or quarterly (compared to 18% in 2019).
Risk Management
- 73% of companies (compared to 4% in 2019) disclosed alignment with an external framework or standard, most commonly NIST (64%).
- 99% of companies referenced response readiness, such as planning, disaster recovery, or business continuity considerations, compared to 59% in 2019.
- 86% of companies disclosed utilizing education and training to mitigate cyber risks (compared to 25% in 2019).
- Up from 14% in 2019, 99% of companies disclosed use of an external independent advisor.
The report includes trend data from 2019 for cybersecurity and 2024 for AI disclosures and questions for the cybersecurity oversight questions for the board to consider.