What cyber disclosures are telling shareholders in 2023

Investors need accurate and timely disclosures on cybersecurity risk governance and management to make informed decisions.

There is tension for companies to disclose enough information for investors to understand whether the business is responding to and recovering from a material cyber incident without providing a roadmap to attackers or undermining law enforcement efforts. Furthermore, the cyber threat landscape has reached a new and dangerous stage in its evolution, with cybercrime expected to cost the world some US$8 trillion in 2023.ᶦ Our latest EY Global Information Security Survey (GISS) shows that 30% of senior cybersecurity leaders report that hackers are using new strategies that could potentially outsmart their defenses. 

In addition to long-standing threats such as IP theft and ransomware, new technologies are dramatically affecting the cybersecurity landscape. ChatGPT reached 1 million users in five days, making it one of the fastest-growing online platforms in history. By comparison, the most popular social media platforms ranged anywhere from several months to years to reach that same milestone. But more importantly, it’s a signal of what’s to come: Generative artificial intelligence (AI) is poised to reshape our society. Not only are people adopting it in droves, but unlike social platforms, its business applications appear infinite. This technology is maturing fast, and real opportunities and risks for businesses are months, not years, away.

Despite these risks, 35% of board directors polled in an EY analysis say they lack an understanding of the AI-related risks their companies face. Organizations need a board-approved strategy on evolving technologies (e.g., generative AI).

Having robust cyber-related disclosures informs shareholders of how the company is currently addressing the fast-paced challenges of cyber risk, including notifying them of cyber incidents, to help them make more informed investment decisions. Additionally, many organizations will need to comply with new regulations such as the U.S. Securities and Exchange Commission (SEC) recent final rules requiring disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.

In our latest analysis of cyber‑related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies, we found more companies providing information about board directors’ cyber-related skills and expertise and management’s reporting structure and frequency of reporting.

Our refreshed analysis of the proxy statements and 10‑K filings, the sixth in an annual series, was designed to identify emerging trends and opportunities for enhanced communication. We looked at filings from 75 Fortune 100 companies that filed during each fiscal year from 2018 through May 31, 2023. We cited sample language from their disclosures and examined the current US regulatory and public policy cyber landscape.

Management reporting to the board

The new SEC rules require disclosing the processes by which the board or committee responsible is informed about cyber risks. Over time, we’ve seen disclosure enhancements regarding management reporting on such risks to the board. This year, 87% of companies provided insights into management reporting to the board and/or committee overseeing cyber matters, up from 55% in 2018.

While that change is notable, the real change we’re seeing is around who is providing that information and how often it is conveyed. In 2023, 57% identified at least one person who is reporting to the board on cybersecurity, most often the CISO or CIO, up from 23% in 2018. Similarly, 49% disclosed this year that management is reporting to the board on cybersecurity at least annually, with a number of companies reporting on a least a quarterly basis, up from 12% in 2018. Many other companies include language on the frequency of management reporting, but typically that language is not specific, alluding to reports to the board that occur “regularly” or “periodically.”

As the rules indicate, the Commission directs registrants to disclose management positions or committees responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise. Disclosing details of the frequency of reporting could be included as part of describing the processes by which the board or relevant committee is informed about cybersecurity risks. 

Adding specificity to these disclosures may help stakeholders assess whether the board is engaging with the CIO, CISO or equivalent executive with an appropriate cadence to conduct its oversight. While it is common for either the CIO or CISO to routinely brief the board, in our discussions with directors, many indicate that they intentionally raise cyber risks in their interactions with other members of management. In doing so, directors invoke a heightened tone at the top and demonstrate that cyber is viewed as a critical enterprise risk that is ultimately owned by the businesses and touching key activities across the company, from M&A to product development to vendor management to human resources.

Board-level committee oversight

Under the final rule, the SEC requires companies to identify and disclose whether any board committee or subcommittee is responsible for cybersecurity oversight. In our research, 91% of companies this year charged at least one board‑level committee with cybersecurity oversight, up from 72% in 2018. Since 2018, we’ve observed an increase in boards assigning oversight to committees other than audit, most often risk or technology committees. This year, 31% of boards chose a committee other than audit, for primary or additional oversight, up from 19% in 2018. Among the boards making that choice, 86% added cyber responsibilities to the committee charter. 

For now, at least, audit committees remain the primary choice to oversee cybersecurity risk. This year, 75% of the boards chose audit, up from 59% in 2018. Among the boards that chose the audit committee, 82% formalized that responsibility in the committee charter. 

Identification of director skills and expertise

Although the final SEC rules do not require disclosing whether directors have expertise in cybersecurity, it represents one of the more significant shifts in disclosure rates that we’ve observed since initiating this analysis six years ago. In 2023, 61% of companies disclosed cybersecurity as an area of expertise sought on the board, up from 20% in 2018. More than two-thirds of the companies now cite cybersecurity experience in at least one director biography, up from 33% in 2018. Gartner predicts 70% of boards will include at least one member with cybersecurity experience by 2026.ᶦᶦ

A closer look at these changes over the past few years shows that, in most cases, the increases in director experience are related to most companies adding cyber‑related experience to longer‑standing board member bios, with some boards adding a new director with cybersecurity experience. The new arrivals have included former CIOs and senior information technology executives, the head of a cybersecurity company, and former leaders in federal intelligence agencies or the Department of Defense.

Alignment with an external framework or standard

The number of companies that disclosed the alignment of their cybersecurity program and information security practices with an external security process or control framework increased to 25% this year, up from just 1% in 2018. The framework of the National Institute of Standards and Technology (NIST) was cited by 16 companies, more than any other. Among the others referenced were the International Organization for Standardization (ISO) 27001 and HITRUST. A number of companies also disclosed that certain portions of their controls were covered by the American Institute of Certified Public Accountants (AICPA) System and Organization Controls for Service Organizations: Trust Services Criteria (SOC 2) service audit reports.

Compensation incentives

This year, we observed a modest increase in companies specifically disclosing performance related to cybersecurity or privacy issues as a consideration in determining executive pay. This year, 12% of companies did so, compared with zero in 2018. Nonetheless, companies generally cited cyber considerations (e.g., maintained strong cyber defense with no material business-impacting events amid a heightened cyber-threat environment) among a host of other nonfinancial company or individual performance considerations in executive pay decisions.

Response readiness simulations 

The percentage of companies disclosing that they performed cyber incident simulations with management and/or the board remains low, increasing to 16% this year, from 3% in 2018. Of the companies that disclosed such exercises, several disclosed that the board participated, and one specified that the board actively participates in discussions and simulations of cybersecurity risks both internally and with law enforcement, government officials, and peer and industry groups. Rigorous simulations are critical risk preparedness practices that Ernst & Young LLP (EY) and others believe companies should prioritize. 

If cybersecurity breach simulation plans are not practiced and a breach occurs, the reaction by the board and management is largely improvised. Well‑designed incident simulations can stress‑test the organization’s capabilities and improve readiness by providing clarity of roles, protocols and escalation processes. These simulations often include third parties (e.g., a public relations firm, forensic specialists, outside counsel and/or law enforcement as noted previously). Policies on ransomware should also be established ahead of time, including whether the company and board would approve payment and under what circumstances, as well as a full understanding of insurance contract terms and conditions. Management should conduct these exercises to test the company’s significant vulnerabilities and identify where the greatest financial impact could occur. Boards should consider participating in these simulations so that their insights and experiences can be incorporated to elevate the company’s ability to respond and recover.

Further, such exercises help companies develop and practice action plans related to data privacy issues. Cyber breaches can — and often do — result in the loss of personal data. These events require compliance with a host of complex state and federal laws (all of which call for prompt notice to states, regulators and affected persons), and may require compliance with the laws of non‑US jurisdictions. Regular practice is key to establishing effective preparation and responses.

Use of external independent advisor

Another component in the SEC rules requires registrants to disclose whether it uses assessors, consultants, auditors or other third parties in connection with its processes to assess, identify and manage risks from cybersecurity threats, and whether it has processes in place to oversee and identify risks related to its use of third-party service providers. In our analysis, the percentage of companies disclosing the use of an external independent advisor to support management on cybersecurity matters grew to 45% this year, from 15% in 2018. Among the companies that made the disclosure this time around, nine indicated that the board received reports from the independent third party. One company disclosed that the audit and compliance committee annually engages third parties (as well as the company’s internal audit department) to audit the company’s information security programs, whose findings are reported to the audit and compliance committee.

Disclosure of cyber incidents

There appears to be a gap between disclosures related to material cybersecurity incidents, including the depth of the disclosures, as compared with the number and scale of cyber incidents reported in the news media and third‑party reports. The 2023 Verizon Data Breach Investigations Report stated there were 5,199 confirmed data breaches between November 1, 2021 and October 31, 2022, from small to large organizations, but the report did not address the materiality of these breaches. Per research provided to EY researchers from Audit Analytics for the same time period, there were 57 cyber incidents reported to the SEC in a public filing.

The SEC’s rules require disclosure of a material cybersecurity incident in Form 8‑K within four business days of determining that it is material. The SEC states the information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material. If any required information is not determined or is unavailable at the time the company prepares the initial Form 8-K, the company must file an amended Form 8-K containing such information within four business days after it determines such information, or the information becomes available. 

Disclosures to date range from stating the occurrence of an incident to providing a more in‑depth account, including the number of account holders affected; the nature of the data; costs and insurance offsets; and remedial steps taken to fix the security vulnerability.

The SEC is not the only corporate governance stakeholder seeking more disclosures about cyber incidents. In its Governance QualityScore rating solution, Institutional Shareholder Services (ISS)ᶦᶦᶦ includes 11 factors that address information security risk management and oversight. These factors include board members’ information security expertise; frequency of briefing the board on information security matters; whether the company maintains a cyber risk insurance policy; and the existence of, and financial impact from, recent security breaches.

Takeaways for board oversight

To provide effective oversight, boards must be familiar with the risks that cybersecurity can bring. With the appropriate level of familiarity, boards can effectively monitor the extent of the risks and influence investment decisions in order to mitigate the risk presented by cybersecurity threats and to be prepared when cyber incidents do occur. Leading boards are focused on prioritizing cybersecurity oversight, asking probing questions, staying current on regulations and increasingly transparent and timely disclosures to inform shareholders how the company is addressing cybersecurity risk.