EY Report Finds “Modest Improvement” in SEC Disclosure on Cybersecurity, Suggests Boards Get More Active in Cyber Risk Oversight

November 7, 2019  Jeff B. Copeland

The Securities & Exchange Commission shook up the reporting of cyber risk by public companies, with its guidance statement of March, 2018, warning that the regulators expected to see cyber risk proactively disclosed like other business risks, including quantifying risk factors in financial terms. But how many companies have actually toed the line since?

EY, the big consultant for tax and other corporate governance issues, pored over the SEC reports of the Fortune 100 for 2018-19, looking for disclosures on cybersecurity risk management and board oversight. The result: “modest” increases in disclosure compared to last year’s survey and reports still “vary widely” in the level of detail.

Read the EY report: What Companies Are Sharing about Cybersecurity Risk and Oversight

Details from the EY survey, show some of the strengths and weaknesses of cybersecurity governance in the biggest companies:

  • 89% disclosed a “focus on cybersecurity” in the risk oversight section of the proxy statement, up from 80%
  • 84% disclosed that at least one board-level committee was charged with cybersecurity oversight, up from 78%. There’s a small but growing trend for boards to assign infosec oversight to a non-audit committee – in other words, a risk or technology panel – at 28%. 54% (up from 40%) of boards are looking for a member with cybersecurity expertise or already have one.
  • CISO or CIO reporting directly to the board on cybersecurity is still a rarity; 33% identified a “point person” from management who reports to the board, though that was up from 26%
  • Only 9% of companies reported that cybersecurity preparedness includes “simulations, tabletop exercises, response readiness test or independent assessments.”

EY also suggested some best practices for boards, including:

  • "Gaining insights into how management is validating the operational effectiveness of its cybersecurity risk management program"
  • "Asking questions about cybersecurity impacts when contemplating any new product, initiative, partnership or business deal, and overseeing that cyber resiliency is embedded into the foundation of company practices and process (i.e., trust by design)"
  • "Upskilling the full board via concentrated cybersecurity education and periodic training sessions with outside experts, certification courses and peer-to-peer director exchanges"
  • "Overseeing that a third party is periodically evaluating the design and effectiveness of the company’s cybersecurity risk management program, and engaging directly with that third party to help challenge internal bias."

Reading between the lines...it looks like boards and senior management still have a long way to go toward cybersecurity risk disclosures that the SEC has strongly signaled it wants to see, approaching the financial standards that the rest of public company reporting is held to. RiskLens – and the community of FAIR cyber risk quantification practitioners – is advancing business toward that standard. Surveys of boards routinely find that they’re dissatisfied with the quality of reporting on cyber risk, finding it too qualitative and subjective. And the National Association of Corporate Directors has actively promoted financially based reporting on cybersecurity ( see this article in the NACD blog by FAIR model creator Jack Jones and RiskLens board member and corporate governance expert James Lam). The FAIR Institute has partnered with CyberVista, the leading cybersecurity education and workforce development company, on a cyber risk curriculum for board directors. The opportunities for boards to up their games are there – we're expecting we'll see a better story with SEC reporting in next year’s EY report.