+ | - | reset

Many companies continue to increase their voluntary cybersecurity disclosures to inform investors.


In brief

  • As the speed and complexity of cyber attacks increase, boards are enhancing their cyber expertise and engaging with cyber risk professionals.
  • Directors are playing a key role in supporting a company’s robust approach to cybersecurity by addressing cyber risks at the intersection of cybersecurity and corporate strategy.
  • Leading companies test cybersecurity response and resilience though a variety of exercises that involve the board of directors.

It is often a balancing act, as companies aim to disclose relevant information to the investment community on risk mitigation and responses to material incidents, while limiting information that could be exploited by adversaries and bad actors.

Disclosures play an important role in communicating with the investor community and stakeholders more broadly. In the quarter century since cyber risk became a core item on the board agenda, directors have recognised that it is an ever evolving issue, requiring constant diligence and a focused approach to enable effective oversight. The past year has seen an increase in the sophistication in cyber threats, which has prompted companies to improve their cybersecurity frameworks, but also helped adversaries improve the sophistication of attacks.

Notable Developments in Cybersecurity Risks

  • New technologies are enabling growing threats: Generative AI (GenAI) is now being used in some way by nearly every company (93%), and many report that they have plans to use GenAI to improve cybersecurity1 by helping companies identify potential cyber risks, detect vulnerabilities and breaches, and prioritise cybersecurity efforts. However, cyber threats continue to grow. Last year the FBI saw a 10% increase in complaints and a 22% increase in losses suffered — now $12.5b per year.2 Nearly a third (32%) of these incidents involve some type of extortion scheme, such as ransomware.3
  • Employees play a role in most cyber breaches: More than two thirds of breaches include some involvement by company workers through phishing, behavior manipulation or other methods to obtain and exploit employee credentials.
  • Third-party cyber risks are growing: Reliance on third parties for increasingly complex IT operating environments is expanding the threat surface area — the places where an adversary may attack. It also may create single points of failure in critical systems that can be disrupted.
  • Growing use of external advisors: Due to its continuously evolving nature, cybersecurity is an area of constant diligence for directors and boards. Disclosures about the company’s use of an external independent advisor more than doubled from 43% in 2023 to 87% in 2024 and 10% reported that their boards engage with one.

2024 Cyber Disclosure Trends

Since we started tracking cyber disclosures in 2018, there has been a steady increase in voluntary cybersecurity disclosures. The SEC now requires publicly listed companies to disclose a wide variety of cybersecurity risk management and oversight information, including how the board is governing cyber risk.4

Overall public companies continue to disclose greater amounts of information about cybersecurity. Every aspect of cybersecurity we track in disclosures has increased since we began this effort in 2018. An analysis of cybersecurity disclosures made by Fortune 100 companies reveals the following:

  • Audit committees continue to oversee cyber: Despite an increasingly heavy workload, 81% of Fortune 100 companies report that cybersecurity oversight falls to the audit committee, up from 61% in 2018.
  • Cyber expertise is in demand: Although the SEC cyber disclosure rule does not require companies to report on the cyber expertise of board members, our review of company filings show that cyber expertise is in demand. Nearly three quarters (72%) of companies disclose cyber as an area of expertise sought in the board and nearly as many (71%) disclose cybersecurity in at least one director biography, up from 34% in 2018.
  • Dedicated cyber risk experts are engaging with the boardroom: 70% of companies report that the Chief Information Security Officer (CISO) provides the board cyber risk information — up from just 9% in 2018.
  • Dedicated board time on cyber: More than half (57%) report the frequency of meeting with management on cybersecurity as at least annually or quarterly. The remaining are less specific, saying frequently or periodically. This is more than four times those with a similar disclosure in 2018.
  • Preparedness exercises are common: Nearly half of companies (47%) now report performing simulations, tabletop exercises, or response readiness tests as part of their preparation efforts — up from just 3% in 2018.

Fortune 100 Company Cybersecurity Disclosures

What follows is an analysis of Fortune 100 company disclosures. As of May 31, 2024, 79 of these companies filed their proxy forms and 10-Ks, and these companies formed the universe for this analysis. The work reflects observations across company filings for the past seven years. Because of the timing of fiscal years, some now-required cyber disclosures appear to be less than 100 percent. For voluntary disclosure, just because a matter is not disclosed does not mean it is not performed. It simply means that the company did not include disclosures about the activity in their filings.

Topic  2024  2022  2020  2018
Disclosed that at least one board-level committee was charged with oversight cybersecurity matters* 95% 89% 85% 76%
Disclosed that the audit committee oversees cybersecurity matters 81% 72% 67% 61%
Disclosed oversight by a risk committee 13% 11% 10% 9%
Disclosed oversight by a technology committee 10% 9% 8% 9%
Disclosed oversight by another committee (e.g., compliance) 8% 8% 8% 3%
Topic  2024  2022  2020  2018
Cybersecurity disclosed as an area of expertise sought on the board or cited in at least one director biography 85% 68% 61% 42%
Cybersecurity disclosed as an area of expertise sought on the board 72% 51% 35% 19%
Cybersecurity cited in at least one director biography 71% 56% 49% 34%
Topic  2024  2022  2020  2018
Provided insights into management reporting to the board and/or committee(s)
overseeing cybersecurity matters**
96% 78% 57% 51%
Identified at least one C-suite role providing cybersecurity insights to the
board (e.g., the CISO or CIO)
84% 42% 25% 18%
Chief Information Security Officer specifically mentioned (CISO) 70% 28% 16% 9%
Chief Information Officer specifically mentioned (CIO) 28% 16% 10% 8%
Chief Technology Officer specifically mentioned (CTO) 11% 4% 0% 8%
Included language about frequency of management reporting to the board
or committee (most of this language was not specific)
95% 70% 46% 34%
Disclosed reporting frequency of at least annually or quarterly; remaining
companies used terms like “regularly” or “periodically”
57% 44% 18% 13%
Topic  2024  2022  2020  2018
Referenced efforts to mitigate cybersecurity risk, such as the establishment of processes, procedures and systems 100% 99% 95% 85%
Disclosed alignment with external framework or standard** 57% 20% 4% 2%
National Institute of Standards and Technology (NIST) 47% 14% 3% 1%
International Organization for Standardization (ISO) 20% 4% 1% 1%
Other** 14% 6% 0% 0%
Referenced response readiness, such as planning, disaster recovery or business continuity considerations 95% 73% 65% 53%
Stated that preparedness efforts include simulations, tabletop exercises or response readiness tests 47% 9% 6% 3%
Stated that the company maintains a level of cybersecurity insurance 25% 20% 13% 8%
Included cybersecurity in executive compensation considerations 11% 10% 13% 8%
Topic  2024  2022  2020  2018
Disclosed use of education and training efforts to mitigate cybersecurity
risk
82% 47% 28% 15%
Topic  2024  2022  2020  2018
Disclosed collaborating with peers, industry groups or policymakers 28% 14% 10% 6%
Topic  2024  2022  2020  2018
Disclosed use of an external independent advisor 87% 34% 16% 15%

* Some companies delegate cybersecurity oversight to more than one board-level committee.

**Some companies disclose more than one external framework or standard to which they seek to align. Such frameworks or standards cover different scopes and may not cover all aspects of the enterprise; some, but not all, include external certification or attestation. Other frameworks or standards not broken out here include the Payment Card Industry Data Security Standards, Health Information Trust Alliance, System and Organization Controls 1 and 2, and more.

Source:

Percentages are based on total disclosures by companies. Data based on the 79 companies on the 2024 Fortune 100 list that filed Form 10-Ks and proxy statements for this year through May 31, 2024, and the filings of those companies from 2018, 2019, 2020, 2021, 2022 and 2023.

Leading Practices in Cybersecurity Oversight
Based on EY discussions with directors, industry groups, cyber leaders and public policy professions, we have identified these 10 leading practices to help boards oversee cyber risk.

Practice Actions to take Questions to consider
Elevate the tone Establish cybersecurity as a key consideration in all board matters. If technology is a cornerstone of most business decisions,then cyber risk considerations should be part of board and management discussions about strategy, product and service growth plans, digital transformation, and so on.
  • What parts of our business are most vulnerable to cybersecurity disruptions?
  • What critical single points of failure are existential risks to the company?
Stay diligent Address new issues and threats stemming from remote work and the expansion of digital transformation.
  • How does the company assess, monitor and improve its cyber risk culture?
  • Who is in the best position to provide this information to the board?
Determine value at risk Reconcile value at risk expressed in dollar terms against the board’s risk tolerance, including the efficacy of cyber insurance coverage.
  • What metrics can best show the company’s value at risk?
  • How well does the company’s risk tolerance match its value at risk?
Leverage new analytical tools Such tools inform the board of cyber risks ranging from high‑likelihood, low‑impact events to low‑likelihood, high‑impact events (i.e., a “black swan” event).
  • How does management determine which risks should be elevated to boardroom conversation?
  • How confident is the board that it’s having discussions about the right risks?
Embed security from the start Embrace a “secure by design” philosophy when designing new technology, products and business arrangements. Last year, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and international partners published secure-by-design and -default principles and approaches.
  • What is the company’s approach to secure by design?
  • How does the board know that this approach is being followed?
Independently assess Obtain a rigorous third‑party assessment of the company’s cyber risk management program (CRMP), including testing of critical systems and processes.
  • How did management determine who to partner with for a third-party assessment?
  • What are the most important areas of disagreement with the third-party review and what are the planned action steps?
Evaluate third-party risk Understand management’s processes to identify, assess and oversee the risk associated with service providers and third parties involved in your supply chain.
  • What third parties represent a single point of failure to critical systems?
  • What do we know about the risks posed by third parties and their downstream suppliers and providers?
Test response and recovery Enhance enterprise resilience by conducting rigorous simulations and arranging protocols with third‑party specialists before a crisis.
  • What experience does the board have with realistic and complex simulation exercises?
  • How are the outcomes of the simulations incorporated into the company’s crisis response planning?
Understand escalation protocols Have a defined communication plan for when the board should be notified, including incidents involving ransomware.
  • Under what conditions is the board notified and how long should it take?
  • What is the board’s role in the plan and how will the board be notified if it changes?
Monitor the regulatory and public policy landscape Stay attuned to evolving oversight practices, disclosures, reporting structures and metrics and understand implications for how the company is staying in compliance with requirements.
  • Who is responsible for monitoring the regulatory and public policy landscape?
  • How are relevant groups notified and processes updated with relevant changes?

Questions for the Board to Consider

  • How does the board determine if its board and committee portfolios are best aligned to oversee the company’s evolving cybersecurity needs?
  • What information has management provided to help the board assess which critical business assets and partners, including third parties and suppliers, are most vulnerable to cyber attacks?
  • How do the board’s current cyber skills and expertise map to the company’s current and future needs?
  • If expert knowledge by the board is needed, how would it get it?
  • How does the board view the importance of a single cyber expert vs. a broad set of board members with cyber expertise?
  • How does the board ensure that it is receiving the right information from management on cyber risk?
  • How does the board ensure that it is hearing from the right voices on cyber risk?
  • Does management provide a holistic perspective on cyber risk ranging from threats and response to the state of the company’s cyber risk culture?
  • Which external cybersecurity framework is used, why was it chosen, and would management choose it again if making the decision today?
  • How does the board know that the company’s cyber crisis response plans are up to date and relevant?
  • What roles and responsibilities does the board have during a cyber risk event and which are the responsibilities of management?

The article was first published by EY.

Photo by Possessed Photography on Unsplash.

Rate this article

0 / 5. 0

Is this article good for you?
possessed photography jIBMSMs4 kA unsplash scaled
5.0
12  Minutes

Cybersecurity Disclosures: What Companies Shared About Cyber Risks in 2024

29 October 2024

READ MORE
Share
pexels sebastian 411195 scaled
5.0
9  Minutes

Balancing Demand and Reward: The New Portfolio Company Chair

19 September 2024

READ MORE
Share
luis benito PO4ATjlp fg unsplash scaled
5.0
6  Minutes

Five Pillars of Successful Digital Transformation

05 June 2024

READ MORE
Share
pexels pixabay 416320 scaled
5.0
3  Minutes

Top Tips When Embarking on Board Refreshment

01 April 2024

READ MORE
Share
nastuh abootalebi eHD8Y1Znfpk unsplash
1.0
8  Minutes

Board Effectiveness: A Survey of the C-Suite

20 January 2023

READ MORE
Share
philipp katzenberger iIJrUoeRoCQ unsplash scaled
5.0
8  Minutes

How to Build an Organizational Culture That is ‘Cybersecurity Ready’

28 October 2022

READ MORE
Share

Survey

ICDM
Homepage