“Survey of Cybersecurity Disclosures in Annual Reports on Form 10-K Filed by Selected Well-Known Seasoned Issuers” from Clifford Chance summarizes cybersecurity disclosure practices among the Fortune 100 based on the firm’s analysis of Form 10-Ks for fiscal years ending on or after December 15, 2023 (44 companies).
Among the key takeaways:
Board oversight structure—36 of 42 companies that disclosed board committee oversight allocate primary responsibility to the audit committee. Just two disclosed retention of primary oversight at the full board level.
Reporting cadence—The cadence of management’s reporting to the board varies widely, as shown here:
Internal governance—Nearly one-third of companies disclosed the existence of a management-level cybersecurity committee, most commonly composed of a cross-functional team.
Management responsibility—Most companies identified a CISO, followed by a CIO, as being responsible for and having experience with assessing and managing cyber risks, while several disclosed joint officer responsibility.
Third party service providers—All but one company referenced engagement of consultants, auditors, or other third parties, as shown here:
Cybersecurity frameworks—Of the 27 companies that referenced the use of at least one cybersecurity framework, 21 mentioned NIST.