Corporate boards expand cybersecurity risk oversight, report finds
Home/CyberSecurity / Corporate boards expand cybersecurity risk oversight, report finds
Corporate boards expand cybersecurity risk oversight, report finds

Dive Brief:

  • With new Securities and Exchange Commission disclosure rules set to take effect in early September, a study from the EY Center for Board Matters shows director oversight of cybersecurity at Fortune 100 companies is rapidly evolving. 
  • In SEC filings, 4 in 5 companies disclosed how often management reported to the board or committees on cybersecurity, the study found. Almost half of the companies reported at least annually to the board on cybersecurity. 
  • More than 3 in 5 companies disclosed cybersecurity as an area of expertise sought by the board, up from 1 in 5 in 2018.

Dive Insight:

EY's sixth annual study is based on proxy statements and annual reports of 75 of the top Fortune 100 companies, from fiscal year 2018 through May 31.

The research shows just how much cybersecurity has evolved as a focus of board oversight in recent years, as cybersecurity risk has become a much more prevalent concern for shareholders, customers and government regulators. 

The report indicates companies are streamlining the process of disclosing cyber risk information to the board. For example, 57% of Fortune 100 companies have designated at least one person to report these issues to the board, with most designating either a CISO or CIO. In 2018 only 23% of Fortune 100 companies made such a designation. 

The final SEC rules have heightened the cybersecurity mandate for companies, requiring them to disclose within four business days of determining an incident is material. But regulators also want to know how corporate boards are keeping track of information that follows those initial disclosures. 

“The rules include guidance in the event that any required information is not determined or is unavailable at the time the Form 8-K is completed, and among other requirements, registrants now are required to identify any board committee or subcommittee that oversees cybersecurity risk,” Pat Niemann, forum leader of EY Americas Audit Committee, said via email. 

The new rules also call for companies to disclose the process used to inform these committees, Niemann said



Source link