In this report, EY discusses an analysis it conducted of voluntary cybersecurity-related disclosures in the 10-Ks and proxy statements of Fortune 100 companies (79 companies that had filed as of September 1, 2018). The analysis notes that, not only are regulators focused on cybersecurity risk management and disclosure, but investors consider cybersecurity risk management as critical to the board’s risk oversight responsibilities and boards are increasingly engaged on the topic. The analysis found a wide variation in the depth and nature of the disclosures.
This year, with the increasing importance of cybersecurity and the increasing incidence of cyber threats, the SEC amped up its warnings on cybersecurity as a continuous risk to the capital markets and to companies, their customers and business partners, both in terms of the need for more timely and transparent disclosure as well as the importance of controls—disclosure and internal accounting.
In February, the SEC issued long-awaited new guidance on cybersecurity disclosure, advising companies to review the adequacy of their disclosures regarding cybersecurity and to consider how to augment their policies and procedures to ensure that information regarding cybersecurity risks and incidents is effectively communicated to management to allow timely decisions regarding required disclosure and compliance with insider trading policies. In developing disclosure controls, the SEC advised, companies should be sure to include appropriate escalation procedures for cyber incidents, both for purposes of evaluating the significance of the event and determining whether it is likely to develop into a material event that requires the imposition on insiders of trading restrictions. In addition, because cyber threats are a business risk as well as a technology risk, controls should require the input of both IT and business personnel. (See this Cooley Alert.)
In addition, just last month, the SEC issued an investigative report under Section 21(a) that advises public companies subject to the internal accounting controls requirements of Exchange Act Section 13(b)(2)(B) of the need to consider cyber threats when implementing internal accounting controls. The report described an investigation of whether a number of defrauded public companies “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” Although the SEC decided not to take any enforcement action against the nine companies investigated, the SEC determined to issue the report “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.” In particular, the report focused on the requirements of Section 13(b)(2)(B)(i) and (iii) to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization,” and that “(iii) access to assets is permitted only in accordance with management’s general or specific authorization.” The report cautions that these cyber-related threats are a “growing global problem” that might be mitigated by internal controls that take cyber threats into account, as well as by appropriate training. (See this PubCo post.)
The EY analysis looked at the following topics:
- “Board oversight including risk oversight approach, board-level committee oversight, director qualifications, management reporting structure and management reporting frequency
- Statements on cybersecurity risk and strategy, including disclosure of related strategy-focused language, shareholder engagement and risk factors
- Risk management, including cybersecurity risk management efforts or program, education and training, engagement with outside security experts and use of an external advisor”
Board Oversight. EY reports that most companies (84%) identified cybersecurity as a risk subject to board and committee oversight, typically the audit committee (70%). However, the nature and frequency of management reporting to the board or committee were disclosed less frequently. Cybersecurity expertise was identified by 41% of companies as a key qualification for director considered by the board, although the disclosure did not typically identify which directors were viewed to have that expertise, and the nature of “expertise” varied widely.
Strategy Statement/Risk Factor. Only 14% of companies “highlighted in their proxy that cybersecurity is a current or emerging strategic focus, or state that data privacy is central to the company’s purpose and core values.” And cybersecurity was disclosed as a topic for engagement with shareholders for only 6% of the companies, although EY observes that those disclosures tend to be more high level and, as a result, may not capture all engagement topics. In contrast, all companies discussed cybersecurity in their risk factors, with a full 92% using a separate caption to highlight the issue.
Risk Management. Disclosures regarding risk management varied widely, but, according to EY, few companies went into much detail. With regard to risk mitigation efforts, 71% disclosed actions such as investments in personnel, training and development of processes and procedures; 30% discussed response planning, disaster recovery or business continuity; 15% discussed education and training; 14% disclosed engagement of an independent third-party advisor; 5% disclosed peer or industry group collaborations; and only 3% discussed simulations, exercises or readiness testing.
EY identifies the following as questions for the board:
- “Has the board formally assigned responsibility on cybersecurity matters—at the board and management levels?
- Does the board have access to the needed expertise on cybersecurity? And is the board getting regular updates and reports concerning cybersecurity risk strategy and event preparedness?
- Does the board have regular briefings on the evolving cybersecurity threat environment and how the cybersecurity risk management program is adapting? How is the board actively overseeing the company’s investments in new cybersecurity technologies and solutions?
- Does the board know how management has performed in recent tabletop exercises simulating cybersecurity incidents—and has the board participated in any such exercises?
- Is the board hearing directly from and having a dialogue with third-party experts whose views are independent of management?
- How will the SEC guidance and investor interest impact 2019 disclosures?”
There several other tools available to help boards with cybersecurity oversight. The Center for Audit Quality has issued Cybersecurity Risk Management Oversight: A Tool for Board Members. The tool offers questions that directors can ask of management and the auditors as part of their oversight of cybersecurity risks and disclosures. The questions are designed to initiate dialogue to clarify the role of the auditor in connection with cybersecurity risk assessment in the context of the audit of the financial statements and internal control over financial reporting, and to help the board understand how the company is managing its cybersecurity risks. The publication provides important and sometimes quite specific and detailed questions for audit committees and other board members with cybersecurity oversight responsibility to ask the auditors and management. The CAQ also attaches as Appendix A a series of questions from the NACD related to board cyber risk oversight.
In addition, the NACD has developed the 2017 NACD Director’s Handbook on Cyber-Risk Oversight, which identifies five principles for boards in fulfilling their cyber risk oversight functions:
- “Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risk as they relate to their company’s specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
- Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
- Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.”