Tapping into a topic of great interest to companies, investors and regulators, EY's second annual review of Fortune 100 company proxy statement and Form 10-K disclosures (as of September 5th) on board cybersecurity oversight, cybersecurity risk, and cybersecurity risk management revealed these and other noteworthy findings:
- Board Oversight:
- 54% of companies included cybersecurity expertise among the director qualifications sought on the board or possessed by at least one director, compared to 40% last year.
- 84% disclosed that at least one board-level committee was charged with cybersecurity oversight (65% disclosed audit committee oversight; 28% disclosed non-audit-focused committee oversight).
- 54% provided insights into management reporting to the board and/or committee(s) responsible for cybersecurity oversight; 33% identified at least one "point person(s)" (e.g., the CISO or CIO).
- 43% included language (typically vague) on the frequency of management reporting to the board or committee(s); 16% disclosed the reporting frequency either specifically or generally.
- Cybersecurity Risk:
- All companies included cybersecurity as a risk factor consideration.
- Nearly 90% disclosed a focus on cybersecurity in the risk oversight section of their proxy.
- Risk Management:
- 89% referenced efforts (e.g., processes, procedures, systems) to mitigate cybersecurity risk.
- 26% disclosed utilizing education & training to mitigate cyber risks.
- 12% disclosed use of an external independent advisor.
EY's field observations reveal that companies' cyber risk management and oversight efforts extend beyond those activities voluntarily disclosed; for example, the firm routinely observes companies conducting tabletop exercises and engaging third party advisors. The report also includes an instructive list of leading oversight practices the firm has identified based on its worldwide practice, as well as investor perspectives on portfolio company cyber risk management & oversight.
See our recent report: "Benchmarking: Board Cybersecurity Oversight," and additional information & resources on our Cybersecurity and Annual Meeting pages. This post first appeared in the weekly Society Alert!