Cyber Disclosure Practices Are Evolving Ahead of SEC Rules
An efficient board must set the tone for a company’s cybersecurity prioritization.
How Cyber Governance and Disclosures Are Closing the Gaps in 2022, the EY Center for Board Matters’ latest analysis of cyber-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies, reports mixed results when it comes to how companies are rising to the challenge of increased risk around cybersecurity. Just 9% of these companies disclosed the performance of response-readiness simulations or tabletop exercises to prepare for cyber breaches.
The report found that in 2022, 88% of Fortune 100 companies disclose that at least one board-level committee was charged with oversight of cybersecurity matters, while 74% of companies provide insight into management reporting to the board or committees overseeing cybersecurity issues. A majority of Fortune 100 companies (51%) state that they maintain a level of cybersecurity insurance, and 28% disclose the use of a third-party advisor. As for the 9% of companies that disclose the utilization of simulations and tabletop exercises to prepare for cybersecurity incidents, Chuck Seets, a principal with EY, says he does not believe the number of companies disclosing use of response-readiness tactics necessarily reflects the percentage that are taking part in such exercises.
“Many companies are not reporting on whether they do cyber breach simulation exercises and things of that nature. But I think many of them are doing it. They might be reluctant to draw attention to themselves to avoid setting themselves up as a target for a would-be cyber attacker looking for a challenge,” says Seets.
Seets also believes many companies may be waiting on the SEC’s finalized cyber incident reporting rules before they jump fully into detailed disclosure.
“Companies are studying the proposed rules, and they’re wrestling with what more to disclose until they know what the final rules will require. We’ll see how they unfold.” The rules are projected to be finalized sometime next spring, says Seets.
Seets predicts one of the most challenging aspects of the rules is the requirement for companies to disclose whether there is a cyber expert on their board. It’s an issue that is driving boards to consider their composition in a whole new way: Is it more feasible to have a cyber expert on the board or to work with a third-party expert? According to Seets, boards are considering exactly what constitutes a cyber expert.
Seets offers as an example a director who has worked for a technology company or was once a chief information officer. “Companies are now starting to say, ‘How much of that really involves security?’” says Seets. “There’s a difference between being a technology professional and being a security professional. Companies are wrestling with that along with their board members, and how they solve for it if that becomes part of the final rule.”
The SEC’s proposed rules also require disclosure of how a company’s board is being informed about cyber risk. The EY report shows a steady increase in companies providing insight on cyber reporting to the board, with 74% disclosing on the topic compared with 65% in the 2021 version of the report. While the number of companies providing disclosure may be rising, Seets notes, the depth and rigor of that reporting is not clear, and boards have a clear responsibility to push management for details on cybersecurity protections.
“Cyber is being discussed more fervently and frequently in the boardroom, and more informed boards are beginning to ask questions of the entire management team, not just when the CIO or the CISO are in the room,” says Seets. “Cybersecurity is a topic that you should engage in with any executive because it is a risk that runs across the enterprise.”
According to the report, if companies are considering cybersecurity or privacy issues when determining executive pay, they certainly are not disclosing about it to a large degree. Just 7% of Fortune 100 companies disclose such information, a number that is actually down from last year’s 11%. Says Seets, “The companies that do mention it do so loosely. They don’t give you the formula with which executive compensation is derived. It’s one factor among many.”
While reminding that the management of cybersecurity is not the province of the board, Seets says that a company’s directors can help by clarifying exactly how much cyber risk they are willing to tolerate. This can be accomplished by how they communicate to management and by how much of their board meetings they dedicate to the topic.
“If a board is only spending one hour a year on its duties focused on cyber risk versus another board that is spending a multiple of that amount, that conveys a different tone to the management team. Time, rigor and engagement indicate how much the board is focused on cybersecurity. One of the most important things a board can do is to set the right tone around a topic as important as cyber risk.”