Tapping into a topic of great interest to companies, investors and regulators, EY's review of Fortune 100 company voluntary proxy statement and Form 10-K disclosures on board cybersecurity oversight, cybersecurity risks & strategy, and cybersecurity risk management as of September 1, 2018, revealed these and other noteworthy findings:
- Board Oversight:
- 41% of companies included cybersecurity experience among the key director qualifications highlighted or considered by the board.
- 84% disclosed that at least one board-level committee was charged with cybersecurity oversight (70% disclosed audit committee oversight; 20% disclosed non-audit-focused committee oversight).
- 41% provided insights into management reporting to the board and/or committee(s) responsible for cybersecurity oversight. 24% identified at least one "point person(s)" (e.g., the CISO or CIO).
- 34% included language on the frequency of management reporting to the board or committee(s), but most of the language reportedly was vague.
- Cybersecurity Risk & Strategy:
- All companies included cybersecurity as a risk factor consideration.
- 14% voluntarily highlighted cybersecurity as a strategic focus in the proxy statement.
- Risk Management:
- 14% disclosed use of an external independent advisor.
- 71% described efforts to mitigate cybersecurity risk, such as investing in personnel, training, monitoring and the establishment of processes, procedures & systems.
Companies are encouraged to use the data to help inform their consideration of enhanced disclosure on these issues, which are of keen importance to investors relative to the board's risk oversight responsibilities.