Many companies continue to increase their voluntary cybersecurity disclosures to inform investors.
In brief
- As the speed and complexity of cyber attacks increase, boards are enhancing their cyber expertise and engaging with cyber risk professionals.
- Directors are playing a key role in supporting a company’s robust approach to cybersecurity by addressing cyber risks at the intersection of cybersecurity and corporate strategy.
- Leading companies test cybersecurity response and resilience though a variety of exercises that involve the board of directors.
It is often a balancing act, as companies aim to disclose relevant information to the investment community on risk mitigation and responses to material incidents, while limiting information that could be exploited by adversaries and bad actors.
Disclosures play an important role in communicating with the investor community and stakeholders more broadly. In the quarter century since cyber risk became a core item on the board agenda, directors have recognised that it is an ever evolving issue, requiring constant diligence and a focused approach to enable effective oversight. The past year has seen an increase in the sophistication in cyber threats, which has prompted companies to improve their cybersecurity frameworks, but also helped adversaries improve the sophistication of attacks.
Notable Developments in Cybersecurity Risks
- New technologies are enabling growing threats: Generative AI (GenAI) is now being used in some way by nearly every company (93%), and many report that they have plans to use GenAI to improve cybersecurity1 by helping companies identify potential cyber risks, detect vulnerabilities and breaches, and prioritise cybersecurity efforts. However, cyber threats continue to grow. Last year the FBI saw a 10% increase in complaints and a 22% increase in losses suffered — now $12.5b per year.2 Nearly a third (32%) of these incidents involve some type of extortion scheme, such as ransomware.3
- Employees play a role in most cyber breaches: More than two thirds of breaches include some involvement by company workers through phishing, behavior manipulation or other methods to obtain and exploit employee credentials.
- Third-party cyber risks are growing: Reliance on third parties for increasingly complex IT operating environments is expanding the threat surface area — the places where an adversary may attack. It also may create single points of failure in critical systems that can be disrupted.
- Growing use of external advisors: Due to its continuously evolving nature, cybersecurity is an area of constant diligence for directors and boards. Disclosures about the company’s use of an external independent advisor more than doubled from 43% in 2023 to 87% in 2024 and 10% reported that their boards engage with one.
2024 Cyber Disclosure Trends
Since we started tracking cyber disclosures in 2018, there has been a steady increase in voluntary cybersecurity disclosures. The SEC now requires publicly listed companies to disclose a wide variety of cybersecurity risk management and oversight information, including how the board is governing cyber risk.4
Overall public companies continue to disclose greater amounts of information about cybersecurity. Every aspect of cybersecurity we track in disclosures has increased since we began this effort in 2018. An analysis of cybersecurity disclosures made by Fortune 100 companies reveals the following:
- Audit committees continue to oversee cyber: Despite an increasingly heavy workload, 81% of Fortune 100 companies report that cybersecurity oversight falls to the audit committee, up from 61% in 2018.
- Cyber expertise is in demand: Although the SEC cyber disclosure rule does not require companies to report on the cyber expertise of board members, our review of company filings show that cyber expertise is in demand. Nearly three quarters (72%) of companies disclose cyber as an area of expertise sought in the board and nearly as many (71%) disclose cybersecurity in at least one director biography, up from 34% in 2018.
- Dedicated cyber risk experts are engaging with the boardroom: 70% of companies report that the Chief Information Security Officer (CISO) provides the board cyber risk information — up from just 9% in 2018.
- Dedicated board time on cyber: More than half (57%) report the frequency of meeting with management on cybersecurity as at least annually or quarterly. The remaining are less specific, saying frequently or periodically. This is more than four times those with a similar disclosure in 2018.
- Preparedness exercises are common: Nearly half of companies (47%) now report performing simulations, tabletop exercises, or response readiness tests as part of their preparation efforts — up from just 3% in 2018.
Fortune 100 Company Cybersecurity Disclosures
What follows is an analysis of Fortune 100 company disclosures. As of May 31, 2024, 79 of these companies filed their proxy forms and 10-Ks, and these companies formed the universe for this analysis. The work reflects observations across company filings for the past seven years. Because of the timing of fiscal years, some now-required cyber disclosures appear to be less than 100 percent. For voluntary disclosure, just because a matter is not disclosed does not mean it is not performed. It simply means that the company did not include disclosures about the activity in their filings.
| Topic | 2024 | 2022 | 2020 | 2018 |
|---|---|---|---|---|
| Disclosed that at least one board-level committee was charged with oversight cybersecurity matters* | 95% | 89% | 85% | 76% |
| Disclosed that the audit committee oversees cybersecurity matters | 81% | 72% | 67% | 61% |
| Disclosed oversight by a risk committee | 13% | 11% | 10% | 9% |
| Disclosed oversight by a technology committee | 10% | 9% | 8% | 9% |
| Disclosed oversight by another committee (e.g., compliance) | 8% | 8% | 8% | 3% |
| Topic | 2024 | 2022 | 2020 | 2018 |
|---|---|---|---|---|
| Cybersecurity disclosed as an area of expertise sought on the board or cited in at least one director biography | 85% | 68% | 61% | 42% |
| Cybersecurity disclosed as an area of expertise sought on the board | 72% | 51% | 35% | 19% |
| Cybersecurity cited in at least one director biography | 71% | 56% | 49% | 34% |
| Topic | 2024 | 2022 | 2020 | 2018 |
|---|---|---|---|---|
| Provided insights into management reporting to the board and/or committee(s) overseeing cybersecurity matters** |
96% | 78% | 57% | 51% |
| Identified at least one C-suite role providing cybersecurity insights to the board (e.g., the CISO or CIO) |
84% | 42% | 25% | 18% |
| Chief Information Security Officer specifically mentioned (CISO) | 70% | 28% | 16% | 9% |
| Chief Information Officer specifically mentioned (CIO) | 28% | 16% | 10% | 8% |
| Chief Technology Officer specifically mentioned (CTO) | 11% | 4% | 0% | 8% |
| Included language about frequency of management reporting to the board or committee (most of this language was not specific) |
95% | 70% | 46% | 34% |
| Disclosed reporting frequency of at least annually or quarterly; remaining companies used terms like “regularly” or “periodically” |
57% | 44% | 18% | 13% |
| Topic | 2024 | 2022 | 2020 | 2018 |
|---|---|---|---|---|
| Referenced efforts to mitigate cybersecurity risk, such as the establishment of processes, procedures and systems | 100% | 99% | 95% | 85% |
| Disclosed alignment with external framework or standard** | 57% | 20% | 4% | 2% |
| National Institute of Standards and Technology (NIST) | 47% | 14% | 3% | 1% |
| International Organization for Standardization (ISO) | 20% | 4% | 1% | 1% |
| Other** | 14% | 6% | 0% | 0% |
| Referenced response readiness, such as planning, disaster recovery or business continuity considerations | 95% | 73% | 65% | 53% |
| Stated that preparedness efforts include simulations, tabletop exercises or response readiness tests | 47% | 9% | 6% | 3% |
| Stated that the company maintains a level of cybersecurity insurance | 25% | 20% | 13% | 8% |
| Included cybersecurity in executive compensation considerations | 11% | 10% | 13% | 8% |
| Topic | 2024 | 2022 | 2020 | 2018 |
|---|---|---|---|---|
| Disclosed use of education and training efforts to mitigate cybersecurity risk |
82% | 47% | 28% | 15% |
| Topic | 2024 | 2022 | 2020 | 2018 |
|---|---|---|---|---|
| Disclosed collaborating with peers, industry groups or policymakers | 28% | 14% | 10% | 6% |
| Topic | 2024 | 2022 | 2020 | 2018 |
|---|---|---|---|---|
| Disclosed use of an external independent advisor | 87% | 34% | 16% | 15% |
* Some companies delegate cybersecurity oversight to more than one board-level committee.
**Some companies disclose more than one external framework or standard to which they seek to align. Such frameworks or standards cover different scopes and may not cover all aspects of the enterprise; some, but not all, include external certification or attestation. Other frameworks or standards not broken out here include the Payment Card Industry Data Security Standards, Health Information Trust Alliance, System and Organization Controls 1 and 2, and more.
Source:
Percentages are based on total disclosures by companies. Data based on the 79 companies on the 2024 Fortune 100 list that filed Form 10-Ks and proxy statements for this year through May 31, 2024, and the filings of those companies from 2018, 2019, 2020, 2021, 2022 and 2023.
Leading Practices in Cybersecurity Oversight
Based on EY discussions with directors, industry groups, cyber leaders and public policy professions, we have identified these 10 leading practices to help boards oversee cyber risk.
| Practice | Actions to take | Questions to consider |
|---|---|---|
| Elevate the tone | Establish cybersecurity as a key consideration in all board matters. If technology is a cornerstone of most business decisions,then cyber risk considerations should be part of board and management discussions about strategy, product and service growth plans, digital transformation, and so on. |
|
| Stay diligent | Address new issues and threats stemming from remote work and the expansion of digital transformation. |
|
| Determine value at risk | Reconcile value at risk expressed in dollar terms against the board’s risk tolerance, including the efficacy of cyber insurance coverage. |
|
| Leverage new analytical tools | Such tools inform the board of cyber risks ranging from high‑likelihood, low‑impact events to low‑likelihood, high‑impact events (i.e., a “black swan” event). |
|
| Embed security from the start | Embrace a “secure by design” philosophy when designing new technology, products and business arrangements. Last year, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and international partners published secure-by-design and -default principles and approaches. |
|
| Independently assess | Obtain a rigorous third‑party assessment of the company’s cyber risk management program (CRMP), including testing of critical systems and processes. |
|
| Evaluate third-party risk | Understand management’s processes to identify, assess and oversee the risk associated with service providers and third parties involved in your supply chain. |
|
| Test response and recovery | Enhance enterprise resilience by conducting rigorous simulations and arranging protocols with third‑party specialists before a crisis. |
|
| Understand escalation protocols | Have a defined communication plan for when the board should be notified, including incidents involving ransomware. |
|
| Monitor the regulatory and public policy landscape | Stay attuned to evolving oversight practices, disclosures, reporting structures and metrics and understand implications for how the company is staying in compliance with requirements. |
|
Questions for the Board to Consider
- How does the board determine if its board and committee portfolios are best aligned to oversee the company’s evolving cybersecurity needs?
- What information has management provided to help the board assess which critical business assets and partners, including third parties and suppliers, are most vulnerable to cyber attacks?
- How do the board’s current cyber skills and expertise map to the company’s current and future needs?
- If expert knowledge by the board is needed, how would it get it?
- How does the board view the importance of a single cyber expert vs. a broad set of board members with cyber expertise?
- How does the board ensure that it is receiving the right information from management on cyber risk?
- How does the board ensure that it is hearing from the right voices on cyber risk?
- Does management provide a holistic perspective on cyber risk ranging from threats and response to the state of the company’s cyber risk culture?
- Which external cybersecurity framework is used, why was it chosen, and would management choose it again if making the decision today?
- How does the board know that the company’s cyber crisis response plans are up to date and relevant?
- What roles and responsibilities does the board have during a cyber risk event and which are the responsibilities of management?
The article was first published by EY.
Photo by Possessed Photography on Unsplash.
Related Stories
5.0 
12 Minutes
Cybersecurity Disclosures: What Companies Shared About Cyber Risks in 2024
29 October 2024
5.0 9 Minutes
Balancing Demand and Reward: The New Portfolio Company Chair
19 September 2024
5.0 8 Minutes
How to Build an Organizational Culture That is ‘Cybersecurity Ready’
28 October 2022
