A recent analysis of Fortune 100 company disclosures, performed by The EY Americas Center for Board Matters, sought to reveal emerging cybersecurity trends as we head toward 2025. Among its many findings, the analysis revealed that audit continues to be the committee of choice for cybersecurity oversight and that almost half of Fortune 100 companies now engage in simulations and tabletop exercises to prepare themselves for cybersecurity challenges. We went further into the report with Patrick Niemann, EY Americas Audit Committee Forum Leader.
Directors & Boards: The EY Americas Center for Board Matters recently released “Cybersecurity Oversight Disclosures: What Companies Shared in 2024.” What would you say were some of the more surprising cybersecurity disclosure trends to emerge from the report?
Patrick Niemann: Given the increasing speed and complexity of cyberattacks in recent years, we expected a certain degree of increased focus on cyber response and preparedness in the report. However, the increase in voluntary cybersecurity oversight disclosures since EY began tracking cyber disclosures has been compelling. That is occurring even though these disclosures were not mandated by the SEC cyber disclosure regulation. For instance, nearly three quarters (72%) of the Fortune 100 companies in our analysis set now disclose cyber as an area of expertise sought in the board, up from 19% in 2018 and almost as many (71%) disclose cybersecurity in at least one director biography. This truly points to the priority that cybersecurity has become for boards.
Additionally, as I looked at the findings, I was pleased to see some major shifts even in just the past two years. For example, management reporting to the board increased greatly, with companies that identified at least one management role providing cybersecurity insights to the board doubling from 42% in 2022 to 84% in 2024. Additionally, there is greater focus on incident response preparation. Nearly half of firms (47%) reported using simulations, tabletop exercises or response-readiness tests, up from 9% in 2022.
DB: What would you say are some of the more significant cybersecurity risks companies have experienced in 2024?
PN: In 2024, many companies found themselves more reliant on third-party vendors for increasingly complex IT operating environments. The recent EY Center for Board Matters 2024 quarter 3 audit committee update shows that audit committee chairs and chief information security officers say the proliferation of third-party vendors is one of their central challenges, especially given that vendors face escalating cyber threats. But many lack the resources to properly defend against them. Board members, executives and others at large global organizations responding to an EY forensic & integrity services survey frequently identified data privacy and security as their organization's greatest integrity risks for the next two years.
Given the complexity associated with managing cybersecurity risks, it is notable that the EY Fortune 100 cyber oversight disclosure analysis found that only 10% of those boards disclose engaging an external advisor to assist in this complex environment compared to 87% of the companies disclosing that they have an independent external advisor.
DB: The Center has been tracking cyber disclosures since 2018 and the trend has been that voluntary cybersecurity disclosures have increased each year. Is that a trend that continued in 2024? And how is the need for cyber disclosures affecting the board in terms of who is on it, who is doing the work and how boards engage with management?
PN: The steady increase in voluntary cybersecurity oversight disclosures has continued in 2024, and the requirement for cyber disclosures has driven an increase in director skills and expertise. Overall, the management reporting to the board has risen – with 95% of companies including language about frequency of management reporting to the board or committee. Notably, the chief information security officer is specifically mentioned in 70% of disclosures, up from 28% in 2022.
DB: What best practices would you recommend for the board in terms of how they perform cybersecurity oversight?
PN: Based on our conversations with directors, industry groups and cyber leaders, there are a variety of leading practices — from reviewing critical single points of failure in the cyber infrastructure to reviewing the cyber risk culture — that I recommend boards consider in their oversight of cyber risk. Boards also should elevate the tone from the top down to demonstrate the importance of cyber defense. Cyber risk considerations should be a component of board and management discussions surrounding strategy, product and service growth plans and more. Additionally, given the pace of digital transformation, boards need to stay diligent in addressing new issues and threats stemming from emerging technologies and remote work. Lastly, due to the increasing reliance on third-party vendors, boards should ensure an understanding of management's processes to identify, assess and oversee the risk associated with service providers and third parties involved in the supply chain.