Tapping into a topic of great interest to companies, investors, and regulators, EY's fourth annual review of 77 Fortune 100 proxy statement and Form 10-K disclosures (filings through May 31, 2021) on board cybersecurity oversight, cybersecurity and data privacy risks, and cybersecurity risk management, revealed these and other noteworthy findings for 2021:
Board Oversight
- 65% of companies (compared to 36% in 2018) included cybersecurity expertise among the director qualifications sought on the board or possessed by at least one director, and 56% of companies (compared to 44% last year and 27% in 2018) included cybersecurity expertise in at least one director biography.
- 90% of companies disclosed that at least one board-level committee was charged with cybersecurity oversight: 68% disclosed audit committee oversight; 30% disclosed non-audit committee oversight - most commonly, a risk or technology committee.
- Among the boards assigning cybersecurity oversight responsibilities to the audit committee or a non-audit committee, 65% and 100% formalize those responsibilities in the audit committee's or non-audit committee's charter, respectively.
- 69% of companies provided insights into their management's reporting to the board and/or committee(s) responsible for cybersecurity oversight; 44% identified at least one "point person(s)" (e.g., CISO, CIO).
- 56% of companies included language (typically vague) on the frequency of management reporting to the board or committee(s); 34% disclosed the reporting frequency of at least annually or quarterly.
Cybersecurity / Data Privacy Risk
- As has been the case in prior years, all companies included cybersecurity as a risk factor and 99% included data privacy as a risk factor.
Risk Management
- 96% of companies referenced efforts (e.g., processes, procedures, systems) to mitigate cybersecurity risk.
- 64% of companies referenced response readiness, such as planning, disaster recovery, or business continuity considerations.
- 42% of companies disclosed that the company maintains cybersecurity insurance.
- 34% of companies disclosed utilizing education and training to mitigate cyber risks.
- 22% of companies disclosed use of an external independent advisor, and 6% disclosed board engagement with an external independent advisor.
The report includes: (i) 4-year trend data; (ii) sample disclosures on management reporting structure and frequency, response readiness and tabletop exercises, the use of independent advisors, and alignment of the company’s cybersecurity program and IS practices with an external framework or standard; (iii) an instructive list of leading oversight practices the firm has identified based on its director engagements and worldwide practice; and (iv) an overview of relevant regulatory initiatives.
Access additional information & resources on our Cybersecurity and Proxy pages.
This post first appeared in the weekly Society Alert!