The SEC tried to map out disclosure. Cyberattacks are now among the most serious risks to business. After the SEC issued Commission-level guidance in 2018 (augmenting the staff’s 2011 guidance), Jamie Smith, Bridget Neill, and Stephen Klemash from the Ernst & Young Americas Center for Board Matters analyzed cybersecurity disclosure by public companies. Aiming to help investors, the SEC clarified registrants’ duties to disclose the risks, any material breaches of security, and the possible effects of breaches on finances and operations. It reminded companies that several existing disclosure requirements (e.g., business description, MD&A, and risk factors) might call for cybersecurity disclosure. One new subject in the 2018 guidance was an emphasis on robust disclosure controls and processes; another was a ban on insider trading linked to cybersecurity breaches. Disclosures that might weaken cybersecurity were not required. The staff said it would not second-guess disclosure decisions made in good faith about breaches but would bring enforcement actions when disclosure is seriously deficient; in fact, it had already done so once.A small hike in reporting. The authors analyzed cybersecurity disclosure in the proxy statements and 10-Ks of the 82 companies in the 2019 Fortune 100 that had filed both documents in 2018 and by September 5th in 2019. Concluding that numerous companies had improved their disclosure, the analysis focused on disclosure in three areas: cybersecurity, board oversight, and risk management. All 82 companies identified cybersecurity as a risk factor in both 2018 and 2019. In the other two areas, board oversight and risk management, there were slight year-to-year increases in most disclosure, although differing greatly in depth and specificity. The key year-to-year changes concerned board oversight. The filers that disclosed a concentration on cybersecurity in their proxy statement’s risk-oversight section rose from 80% in 2018 to 89% in 2019. Those disclosing that their boards had delegated cybersecurity oversight to a board-level committee rose from 78% to 84%.
Boards needed experts and point persons to boot. The number of sampled companies increased (from 40% in 2018 to 54% in 2019) that said they were looking for directors with cybersecurity expertise, cited such expertise in one or more director’s biography, or did both. The companies that charged one or more point persons in management (the chief information security officer or the chief information officer, for example) with informing directors about cybersecurity grew from 26% to 33%. While there was a rise from 39% to 43% in companies that addressed the frequency with which management informed the directors, the frequency was rarely quantified. Most filers employed words such as “regularly” or “periodically.” Only 16% in 2019 (up from 12% in 2018) disclosed that management did so annually or quarterly at a minimum.
The compass of mitigation efforts was wide. In the third area analyzed, risk management, 82% of the companies in 2018 and 89% in 2019 reported attempts to reduce cybersecurity risk. Those reporting their planning of responses to cyberattacks (e.g., post-disaster recovery or business continuity) rose from 49% to 55%. In both years, 9% disclosed such preparation for attacks as simulations, tabletop exercises, and response-readiness checks. Those reporting the use of education and training to reduce risk climbed from 18% in 2018 to 26% in 2019. Eleven percent in 2019, up from 6% in 2018, indicated that they worked with peer companies, industry associations, or policymakers. A slight decrease, from 13% to 12%, said they had retained an independent outside advisor; no company revealed the extent of this advisor’s assessment.
Abstracted from What Companies Are Sharing About Cybersecurity Risk And Oversight, published by Ernst & Young Americas Center for Board Matters, 2100 One PPG Place, Pittsburgh PA 15222. To read the full text, visit https://assets.ey.com/content/dam/ey-sites/ey-com/en_us/topics/cbm/ey-cbm-cybersecurity-risk-oversight-final-eycom.pdf.
To read other publications by the EYA Center for Board Matters, visit www.ey.com/en_us/board-matters. For a Nasdaq memorandum on S&P 100 companies’ oversight practices and skill sets concerning cybersecurity, including findings on board structure and corporate governance, go to https://www.nasdaq.com/governance-center/boards-and-cybersecurity.
Editor’s note: The SEC posted guidance on December 19, 2019, for international companies related to technology risks. See www.sec.gov/corpfin/risks-technology-intellectual-property-international-business-operations.
To read the most recent issue of DIMENSIONS, click here.