The Securities & Exchange Commission shook up the reporting of cyber risk by public companies, with its guidance statement of March, 2018, warning that the regulators expected to see cyber risk proactively disclosed like other business risks, including quantifying risk factors in financial terms. But how many companies have actually toed the line since?
EY, the big consultant for tax and other corporate governance issues, pored over the SEC reports of the Fortune 100 for 2018-19, looking for disclosures on cybersecurity risk management and board oversight. The result: “modest” increases in disclosure compared to last year’s survey and reports still “vary widely” in the level of detail.
Read the EY report: What Companies Are Sharing about Cybersecurity Risk and Oversight
Details from the EY survey, show some of the strengths and weaknesses of cybersecurity governance in the biggest companies:
EY also suggested some best practices for boards, including:
Reading between the lines…it looks like boards and senior management still have a long way to go toward cybersecurity risk disclosures that the SEC has strongly signaled it wants to see, approaching the financial standards that the rest of public company reporting is held to. RiskLens – and the community of FAIR cyber risk quantification practitioners – is advancing business toward that standard. Surveys of boards routinely find that they’re dissatisfied with the quality of reporting on cyber risk, finding it too qualitative and subjective. And the National Association of Corporate Directors has actively promoted financially based reporting on cybersecurity (see this article in the NACD blog by FAIR model creator Jack Jones and RiskLens board member and corporate governance expert James Lam). The FAIR Institute has partnered with CyberVista, the leading cybersecurity education and workforce development company, on a cyber risk curriculum for board directors. The opportunities for boards to up their games are there – we’re expecting we’ll see a better story with SEC reporting in next year’s EY report.
RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.
We help organizations translate cyber risk from the technical into the economic language of business.