This new ISS report: “Cybersecurity Disclosures: What Progress has been made?” benchmarks cybersecurity related disclosure among the S&P 500 and the Russell 3000 (excluding the S&P 500) with reference to ISS’s information security Governance Quality Score factors added in 2021 (see our report here and the US-applicable factors on pages 3- 10 here).
Key takeaways include*:
Does the company disclose an approach on identifying and mitigating information security risks?
- Approximately 58% of Russell 3000 companies and 31% of S&P 500 companies provide general disclosure, while about 40% of the Russell 3000 and 69% of the S&P 500 disclose a “clear approach.”
How many directors with information security experience are on the board?
- About 48% of the Russell 3000 and 11% of the S&P 500 disclose no directors with cybersecurity experience; however, more than 25% of the Russell 3000 disclose one director with such experience, and S&P 500 companies commonly disclose more than one.
How often does senior leadership brief the board on information security matters?
- The majority of Russell 3000 companies don’t disclose any information about briefings (frequency or otherwise). S&P 500 companies tend to either not disclose the frequency (30%) or report briefings on a “more frequent than annual” basis (30%).
Does the company have an information security training program?
- The majority of Russell 3000 companies don’t disclose any information on IS training programs, while S&P 500 companies tend to disclose annual training (30%) or the fact that they have a training program without disclosing the frequency (31%).
Has the company entered into an information security risk insurance policy?
- Nearly half of Russell 3000 companies and 61% of S&P 500 companies disclose they have cybersecurity insurance.
Has the company experienced an information security breach in the last three years?
- Relatively few companies provide disclosure on this. Interestingly, of those companies that make disclosure, a plurality report having had no breaches in the last three years.
What percentage of the [board] committee responsible for information security risk is independent?
- A majority of Russell 3000 companies and more than 90% of S&P 500 companies disclose an information security committee with independent members.
Is the company externally audited or certified by top information security standards?
- Relatively few companies provide any disclosure on this topic. Of those that do, a plurality disclose partial audits.
*Sidley’s memo: “ISS Significantly Expands Governance QualityScore; ISS and Glass Lewis 2021 Policy Updates Now in Effect” includes the detailed explanation of the above scoring factors.
See the Society’s May 2021 comment letter to ISS expressing members concerns on these then-new scoring factors.
This post first appeared in the weekly Society Alert!