Just how well are organizations informing stakeholders about cyber risks? As 2018 drew to a close, that was the question that EY sought to answer in its “Cybersecurity Disclosure Benchmarking” report. EY looked at how Fortune 100 organizations are sharing information related to cybersecurity in their proxy statements and 10-K filings, specifically analyzing these documents for the following:
- Information related to how the organization manages cybersecurity and security awareness and training — and whether those are part of a wider enterprise risk management (ERM) program.
- Whether or not public filings contained statements about the importance of cybersecurity risks as strategic risks, or their potential impact on business objectives.
- How the board is discharging its responsibility to oversee risks, focusing specifically on cybersecurity risks, including board member qualifications regarding cybersecurity as well as the structure and frequency of cyber reports from management.
Before we look at what EY’s analysis revealed, let’s take a step back and look at the environment that got us here.
Business Are Under Pressure to Disclose Cyber Risks
It’s no secret that cybersecurity has become a regular topic of discussion for boards and top leadership. But just because something is discussed every once in a while doesn’t mean that organizations are taking effective steps to deal with it. As the events of past two years have shown, cybersecurity risks are real, and publicly traded organizations that experience a cyber incident — be it a breach, ransomware attack, denial-of-service (DoS) or other digital disruption — will quickly find themselves in the spotlight with ample, but unwanted, news coverage.
The problem for many of these companies isn’t the spotlight from the press or the immediate drop in stock value — it’s the secondary but very significant impacts coming from class-action lawsuits, fines and other regulatory enforcements, and long-lasting scrutiny from regulators such as the U.S. Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC).
The SEC’s 2011 guidance reminded board directors that cybersecurity — at the time a relatively new issue rising to the board’s level — was a material issue to be addressed. The 2011 guidance specifically mentioned the need “to disclose conclusions on the effectiveness of disclosure controls and procedures,” especially since a cyber incident could impact many of the other areas in which organizations are normally required to disclose information (e.g., financial and operational risks).
However, in 2018, the SEC released updated guidance for cyber-related disclosures to not only remind organizations of their duty to have controls in place to deal with insider trading, but to, in the words of SEC Chairman Jay Clayton, “promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” Clayton went on to say he had requested that the SEC division of corporation finance continue to carefully monitor cybersecurity disclosures.
For those wishing to learn from the mistakes of others, the SEC maintains a list of cyber enforcement actions that includes cybersecurity-related matters.
Top Findings From EY’s Cybersecurity Disclosure Study
EY’s analysis of 10-K filings and proxy statements from Fortune 100 firms found that all organizations — yes, 100 percent — included cybersecurity as a risk factor consideration. Furthermore, 84 percent mentioned cybersecurity in the risk oversight section, and nearly 7 in 8 organizations had charged at least one committee with oversight of cyber risks (though, in 70 percent of those organizations, that committee was the audit committee, whose agenda is already bursting with challenging issues).
In terms of board qualifications, 41 percent of companies reported highlighting cybersecurity expertise as an area of focus for new board directors. But when it came to interactions with management, only 34 percent of organizations mentioned the frequency of board reports, with just 11 percent reporting briefing the board annually or quarterly.
Finally, in terms of risk management, 70 percent of organizations mentioned their cybersecurity efforts and activities, such as training, personnel, refining of processes and monitoring. However, only 30 percent made any reference to incident response planning, disaster recovery or business continuity, and a tiny fraction, just 3 percent, indicated that their preparations included items such as tabletop exercises or simulations.
An Opportunity for CISOs to Play a Larger Role
As companies increasingly acknowledge cybersecurity risks as strategic risks, chief information security officers (CISOs) have an opportunity to play a larger role in the organization’s plans, investments and overall digital strategy. Instead of representing the camp of “security-as-an-IT-issue” — and with this, the simplistic view of security as an impediment to business — the CISO can help drive better conversations around cyber risks and educate top leadership and the board on emerging cybersecurity and privacy issues, including those that aren’t directly connected to cybersecurity such as artificial intelligence (AI), robotics and blockchain.
CISOs can drive progress by engaging with top leadership and the board to provide broader awareness, education and participation in matters that organizations should be more transparent about. Those cyber-related matters include incident response and emerging threats as well as gauging the organization’s readiness (e.g., tabletop exercises, simulations) and the effectiveness of its cyber risk management program.
Recommendations for Board Directors
The EY report provides several recommendations in the form of questions for boards to improve their engagement regarding cybersecurity risks. It’s worth asking the following questions of your organization:
- Has responsibility for cybersecurity been formally assigned at management level (e.g., CISO) and on the board itself (e.g., audit committee)?
- Is the board getting regular briefings on the organization’s strategy regarding cybersecurity risks and cyber resilience? How engaged is the board in reviewing the organization’s cyber risk management program, and security-related investments?
- How has the organization (i.e., management) fared in recent tabletop exercises or simulations? Are directors taking part in such activities?
The report also mentioned the benefits of contracting with external advisers to provide board directors the opportunity to have a “dialogue with third-party experts whose views are independent of management.”
In 2019, it is imperative that enterprises take action to inform investors about cybersecurity risks and incidents in a timely manner — even enterprises that are subject to risks but have not yet been the target of a cyberattack. In this light, board directors, top leadership and CISOs should take another look at how well their 10-K and proxy statements satisfy the requirement to disclose material information regarding cybersecurity risks.