The U.S. Securities and Exchange Commission (SEC) issued guidance in 2018 promoting clearer and more robust disclosure about cybersecurity risks and incidents and how boards discharge their cybersecurity risk oversight responsibility.
Our 2018 Cybersecurity disclosure benchmarking report explored how companies were responding to this guidance.
We undertook the same research this year to help inform stakeholders of emerging trends and developments.
We analyzed three areas of cybersecurity-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies from 2018-2019: board oversight (including
risk oversight approach, board-level committee oversight, and director skills and expertise), statements on cybersecurity risk, and risk management (including cybersecurity risk management efforts, education and training, engagement with outside security experts and use of an external advisor). We found that many companies are enhancing their cybersecurity disclosures, with the most significant changes related to board oversight practices.
E&Y:What companies are sharing about cybersecurity risk and oversight