Tapping into a topic of great interest to companies, investors, and regulators, EY's sixth annual review of 75 Fortune 100 proxy statement and Form 10-K disclosures (filings through May 31, 2023) on board cybersecurity oversight, cybersecurity and data privacy risks, and cybersecurity risk management reveals these and other noteworthy findings for 2023:
Board Oversight
- 77% of companies (compared to 68% in 2022 and 41% in 2018) included cybersecurity expertise among the director qualifications sought on the board (61%) or possessed by at least one director (68%).
- 91% of companies disclosed that at least one board-level committee was charged with cybersecurity oversight: 75% disclosed audit committee oversight (memorialized in the audit committee charter by 82% of those companies); 31% disclosed oversight by a committee other than the audit (or similar) committee (memorialized in the relevant committee charter by 86% of those companies).
- 87% of companies (compared to 69% in 2021 and 55% in 2018) provided insights into their management's reporting to the board and/or committee(s) responsible for cybersecurity oversight; 57% identified at least one "point person" (most commonly the CISO or CIO), compared to 40% that did so in 2021 and 23% in 2018.
- 83% of companies (compared to 57% in 2021 and 37% in 2018) included language on the frequency of management reporting to the board or committee(s); 49% disclosed a reporting frequency of at least annually.
Cybersecurity / Data Privacy Risk
As has been the case in prior years, all companies included cybersecurity as a risk factor and 99% included data privacy as a risk factor.
Risk Management
- On par with last year, 99% of companies referenced efforts (e.g., processes, procedures, systems) to mitigate cybersecurity risk, compared to 85% in 2018.
- 72% of companies referenced response readiness, such as planning, disaster recovery, or business continuity considerations, compared to 52% in 2018.
- 36% of companies disclosed that the company maintains cybersecurity insurance, compared to 28% last year and 17% in 2018.
- 55% of companies (compared to 45% last year and 17% in 2018) disclosed utilizing education and training to mitigate cyber risks.
- 45% of companies disclosed use of an external independent advisor, and 12% disclosed board engagement with an external independent advisor (compared to 32% and 8% last year, respectively).
The report includes: (i) six-year trend data; (ii) sample disclosures on director expertise; board oversight; management oversight, internal organization, and reporting to the board; response readiness; use of external independent advisor and board engagement; alignment with external frameworks or standards; and workforce training; (iii) links to two committee charters that reflect good examples of committee oversight responsibilities and a corporate security report; (iv) ISS’s Governance QualityScore cyber risk factors; (v) an instructive list of leading oversight practices the firm has identified based on its director engagements and worldwide practice; and (vi) an overview of relevant regulatory initiatives.