Tapping into a topic of great interest to companies, investors, and regulators, EY's annual review of 79 Fortune 100 proxy statement and Form 10-K disclosures (filings through May 31, 2024) on board cybersecurity oversight and cybersecurity risk management reveals these and other noteworthy findings for 2024:
Board Oversight
- 85% of companies (compared to 68% in 2022 and 42% in 2018) included cybersecurity expertise among the director qualifications sought on the board (72%) or possessed by at least one director (71%).
- 95% of companies disclosed that at least one board-level committee was charged with cybersecurity oversight, with 81% disclosing audit committee oversight and 29% disclosing oversight by a non-audit focused committee (e.g., risk, technology).
- 96% of companies (compared to 78% in 2022 and 51% in 2018) provided insights into their management's reporting to the board and/or committee(s) responsible for cybersecurity oversight.
- 84% of companies identified at least one management role (e.g., CISO or CIO) providing cybersecurity insights to the board, compared to 42% that did so in 2022 and 18% in 2018.
- 95% of companies (compared to 70% in 2022 and 34% in 2018) included language on the frequency of management reporting to the board or committee(s); 57% disclosed a reporting frequency of at least annually or quarterly (compared to 44% in 2022 and 13% in 2018).
- All companies referenced efforts (e.g., processes, procedures, systems) to mitigate cybersecurity risk, compared to 85% in 2018.
- 95% of companies referenced response readiness, such as planning, disaster recovery, or business continuity considerations, compared to 53% in 2018.
- 25% of companies disclosed that the company maintains cybersecurity insurance, compared to 8% in 2018.
- 82% of companies disclosed utilizing education and training to mitigate cyber risks (compared to 47% in 2022 and 15% in 2018).
- Up from 34% in 2022, 87% of companies disclosed use of an external independent advisor, while 10% disclosed board engagement with an external independent advisor.
The report includes: (i) trend data from 2018; (ii) identification of two committee charters illustrating disclosure of committee cyber risk oversight responsibilities; (iii) sample disclosures; and (iv) an instructive list of leading oversight practices the firm has identified based on its engagements.