What are companies disclosing about their efforts to oversee cybersecurity risk? In this article, Ernst & Young analyzes cybersecurity-related disclosures in the proxy statements and Forms 10-K of Fortune 100 companies from 2018 to 2019, focusing on disclosure regarding board oversight, cybersecurity risk and risk management. Building on its similar analysis conducted for 2018 (see this PubCo post), EY detected “modest” enhancements in disclosures compared to the prior year—most significantly regarding board oversight practices—although the depth, detail and company-specificity of the disclosures continued to vary widely. Nevertheless, based on its observations of companies’ activities in the market, EY found that even these enhanced disclosures sometimes failed to capture all of a company’s oversight activities, such as third-party independent assessments or tabletop exercises designed to enhance preparedness. Given that many stakeholders have interests in cybersecurity risk preparedness and board oversight, EY advises, enhanced disclosure can serve to build “stakeholder confidence and trust as the cybersecurity risk landscape evolves and as technological innovations raise the stakes for data privacy and protections.”
Leading board practices. Based on its market observations, EY identified the following as leading practices for cybersecurity risk oversight by the board:
- “Having unfiltered board discussions with the chief information security officer (CISO) in executive sessions
- Gaining insights into how management is validating the operational effectiveness of its cybersecurity risk management program
- Regularly infusing cyber in boardroom conversations with all C-suite executives and division leaders to help create accountability for their role in supporting the cybersecurity environment
- Asking questions about cybersecurity impacts when contemplating any new product, initiative, partnership or business deal, and overseeing that cyber resiliency is embedded into the foundation of company practices and process (i.e., trust by design)
- Upskilling the full board via concentrated cybersecurity education and periodic training sessions with outside experts, certification courses and peer-to-peer director exchanges
- Overseeing that a third party is periodically evaluating the design and effectiveness of the company’s cybersecurity risk management program, and engaging directly with that third party to help challenge internal bias
- Overseeing, and periodically participating in, tabletop exercises and simulations as part of the company’s cybersecurity incident response and recovery planning.”
In 2018, with the increasing importance of cybersecurity and the increasing incidence of cyber threats, the SEC amped up its warnings on cybersecurity as a continuous risk to the capital markets and to companies, their customers and business partners, both in terms of the need for more timely and transparent disclosure as well as the importance of controls—disclosure and internal accounting.
In February 2018, the SEC issued long-awaited new guidance on cybersecurity disclosure. While the 2018 guidance addressed disclosure obligations under existing laws and regulations (much like the 2011 guidance), the real focus was on cybersecurity policies and procedures, particularly with respect to disclosure controls and procedures and insider trading and selective disclosure prohibitions. The guidance advised companies to review the adequacy of their disclosures regarding cybersecurity and to consider how to augment their policies and procedures to ensure that information regarding cybersecurity risks and incidents is effectively communicated to management to allow timely decisions regarding required disclosure and compliance with insider trading policies. In developing disclosure controls, the SEC advised, companies should be sure to include appropriate escalation procedures for cyber incidents, both for purposes of evaluating the significance of the event and determining whether it is likely to develop into a material event that requires the imposition on insiders of trading restrictions. In addition, because cyber threats are a business risk as well as a technology risk, controls should require the input of both IT and business personnel. (See this Cooley Alert and this PubCo post.)
SEC Chair Jay Clayton and other SEC officials subsequently emphasized the importance of the issue. (See this PubCo post.) As reported by the WSJ, Corp Fin Chief Accountant Kyle Moffatt, has advised that the “‘biggest key is making sure that there are procedures in place to make sure that the information is provided to all levels, all relevant levels, of management, so everyone is aware of what’s happened and so that those issues can be addressed.’” (See this PubCo post.)
In addition, in October 2018, the SEC issued an investigative report under Section 21(a) that advised public companies subject to the internal accounting controls requirements of Exchange Act Section 13(b)(2)(B) of the need to consider cyber threats when implementing internal accounting controls. The report described an investigation of whether a number of defrauded public companies “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” Although the SEC decided not to take any enforcement action against the nine companies investigated, the SEC determined to issue the report “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.” In particular, the report focused on the requirements of Section 13(b)(2)(B)(i) and (iii) to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization,” and that “(iii) access to assets is permitted only in accordance with management’s general or specific authorization.” The report cautions that these cyber-related threats are a “growing global problem” that might be mitigated by internal controls that take cyber threats into account, as well as by appropriate training. (See this PubCo post.)
Institutional investor viewpoint. For this year’s report, EY also spoke with governance specialists at a number of institutional investors; 61% identified cybersecurity as a key risk, specifically expressing interest in whether oversight was delegated to a committee or the responsibility of the full board, how directors were getting up to speed on cyber issues, management-to-board reporting relationships, how management is addressing risk, data privacy issues and regulatory compliance.
2019 analysis. EY’s analysis studied cybersecurity disclosures in the 10-Ks and proxy statements of Fortune 100 companies (82 companies that had filed as of September 5, 2019), looking at
- “Board oversight, including risk oversight approach, board-level committee oversight, and director skills and expertise
- Statements on cybersecurity risk
- Risk management, including cybersecurity risk management efforts, education and training, engagement with outside security experts, and use of an external advisor”
Board Oversight. EY reported that the percentage of companies that disclosed a focus on cybersecurity in the risk oversight section of their proxy statements grew from 80% to 89% this year, but the extent of these disclosures was highly variably. In some cases, EY reported, cybersecurity was just identified among a number of risks subject to board risk oversight. In other cases, companies provided more detail regarding the exercise of board cybersecurity risk oversight, including the frequency of management reporting to the board, who among management did the reporting and some of the specific topics discussed.
In addition, 84% of companies disclosed that cybersecurity oversight had been delegated to at least one board committee, compared to 78% last year. Almost two-thirds of companies (65%) disclosed that oversight was assigned to the audit committee, compared to 62% last year, and 28% disclosed oversight by another committee (either alone or in addition to the audit committee), up from 21% in 2018. Ten percent disclosed that oversight responsibility remained with the full board.
In a significant jump up, just over half (54%) included cybersecurity as an area of expertise sought on the board or cited in a director biography, compared to 40% in 2018. More specifically, EY reported that, in 2019, 33 companies cited cybersecurity in the biography of at least one director, an increase from 25 companies in 2018, although, EY acknowledged, the meaning of that data was “difficult to interpret. For example, a few companies explicitly cited cybersecurity experience in certain director biographies one year but not the other. In sum, the disclosures may at least indicate that companies are paying more attention to noting director experience or expertise in cyber.” In addition, 54% provided insights into management’s reporting to the board in 2019, fairly level compared to 53% last year. The percentage of companies that identified at least one “point person” from management (e.g., the CISO or the chief information officer) who reported to the board grew from 26% in 2018 to 33% in 2019. Last year, 39% disclosed, albeit sometimes vaguely, the frequency of management reporting on cybersecurity to the board, increasing to 43% this year.
Statement on Cybersecurity risk. All of the companies identified cybersecurity as a risk factor in both years.
Risk Management. In 2019, the vast majority (89%) of companies disclosed efforts to mitigate cybersecurity risk, such as the establishment of processes, procedures and systems, up from 82% last year. In 2019, 26% disclosed efforts to mitigate risk through education and training, up from 18% in 2018. The percentage that disclosed use of an external independent advisor actually declined slightly in 2019 to 12% from 13% in 2018. However, EY notes, in 2019, only one of these companies stated that the board engaged in a direct dialogue with the advisor, and there was no discussion of the scope of the assessment or whether the advisor provided an attestation using the AICPA framework.
Slightly over half (55%) discussed response planning, disaster recovery or business continuity issues in 2019, an increase from 49% in 2018. In both years, only 9% indicated that preparedness included simulations, tabletop exercises, response readiness tests or, in most cases, independent assessments. However, EY notes that it is “routinely observing in the market” the performance of activities such as independent assessments and tabletop exercises, and is a strong advocate for simulations:
“Simulations are a critical risk preparedness practice that EY and others believe boards should prioritize. Among other critical benefits, such exercises help companies develop and practice action plans related to data privacy issues. Cyber breaches can—and often do—result in the loss of personal data. These events require compliance with a host of complex state and federal laws (all of which call for prompt notice to states, regulators and affected persons), and may require compliance with the laws of non-US jurisdictions. Preparation is key to promoting compliance. If companies are performing cybersecurity breach simulations, they should, as a best practice, disclose that, and if not, boards should make this an agenda item in the near term.”
Board recommendations. From prior engagement with groups of directors, EY highlighted two board recommendations regarding cybersecurity: Boards need to “[s]et the tone that cybersecurity is a critical business issue,” and “[s]tay attuned to evolving board and committee cybersecurity oversight practices and disclosures, including asking management for a review of the company’s cybersecurity disclosures with peer benchmarking over the last two to three years.”
In addition, EY identified the following as questions for the board:
- “Is the board allocating sufficient time on its agenda, and is the committee structure appropriate, to provide effective oversight of cybersecurity?
- Do the company’s disclosures effectively communicate the rigor of its cybersecurity risk management program and related board oversight?
- Is the board communicating with C-suite executives beyond the CISO to gain insights into potential business impacts of cyber incidents, and how cybersecurity governance is integrated across all divisions?
- What resources is the board using to enhance its competency on cybersecurity topics and understand emerging threats?
- How is the board getting a pulse on the company’s culture with respect to cybersecurity?
- Does management reporting to the board include: (1) metrics that report on the health of the cybersecurity risk management program, including visibility into the effectiveness of the program, and (2) the results of cyber breach simulations? Does the board periodically participate in those drills?
- Does the board understand the scope of work performed through any independent third-party assessments, and is the board having direct dialogue with that third party?
- Has the board considered the value of obtaining a cybersecurity attestation opinion to build confidence among key stakeholders?”
There several other tools available to help boards with cybersecurity oversight. The Center for Audit Quality has issued Cybersecurity Risk Management Oversight: A Tool for Board Members. The tool offers questions that directors can ask of management and the auditors as part of their oversight of cybersecurity risks and disclosures. The questions are designed to initiate dialogue to clarify the role of the auditor in connection with cybersecurity risk assessment in the context of the audit of the financial statements and internal control over financial reporting, and to help the board understand how the company is managing its cybersecurity risks. The publication provides important and sometimes quite specific and detailed questions for audit committees and other board members with cybersecurity oversight responsibility to ask the auditors and management. The CAQ also attaches as Appendix A a series of questions from the NACD related to board cyber risk oversight.
In addition, the NACD has developed the 2017 NACD Director’s Handbook on Cyber-Risk Oversight, which identifies five principles for boards in fulfilling their cyber risk oversight functions:
- “Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risk as they relate to their company’s specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
- Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
- Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.”