In February 2018, the SEC updated its cybersecurity disclosure guidelines for reporting companies, emphasizing the importance to investors and markets for prompt and robust disclosure relating to cyber issues. Indeed, in April, the agency brought its first enforcement action relating to cybersecurity enforcement issues. In its recent annual report, the agency’s enforcement division emphasized that cybersecurity disclosure is a priority issue. Clearly, public company’s cybersecurity-related disclosure practices are receiving a great deal of attention and scrutiny.
But what are public companies actually doing in terms of cybersecurity disclosures? A recent study by EY took a look at the actual cybersecurity disclosure practices. Their analysis shows that cybersecurity-related disclosure practices “vary widely,” suggesting there is an “opportunity for enhancement.” The October 22, 2018 report, entitled “Cybersecurity Disclosure Benchmarking,” can be found here.
In introducing their analysis, the authors noted that “companies face particular challenges in publicly reporting cybersecurity threats.” This is due in part to “the need to disclose material information while keeping potentially sensitive information out of the hands of attackers.”
Overall, the authors found that “the depth and nature of cybersecurity-related disclosures vary widely,” which the authors interpreted as suggesting that there is “opportunity for enhancement in how cybersecurity risks, cybersecurity risk management frameworks and board oversight are communicated.” The authors stated further that “by sharing information on the state of current disclosure efforts, stakeholders can gain an understanding of where opportunities for enhancement exist, and how to drive and establish leading practices.”
In order to assess cybersecurity disclosure practices, the report’s authors analyzed the cybersecurity-related disclosures in proxy statements and in annual reports on Form 10-K of the Fortune 100 companies for which documents were available (79 companies). The authors separated their analysis into three disclosure topics: board oversight; statements of cybersecurity risk and strategy; and risk management.
Board Oversight: Most companies disclosed that cybersecurity is among the risks overseen by the board. 84% of the companies reviewed disclosed that at least one committee was charged with cybersecurity oversight. 70% disclosed that the audit committee oversees cybersecurity matters. 41% identified cybersecurity experience as among key director qualifications highlighted or considered by the board. 41% of the companies reviewed included disclosures relating to how management reports to the board or board committees about cybersecurity. 34% of reporting companies included disclosures identifying the frequency of management reporting to the board or board committee.
Statements of Cybersecurity Risk and Strategy: 100% of reporting companies identified cybersecurity as a risk factor, with 92% “prominently highlighting this topic by using a subheading or subtitle.” While identification of cybersecurity as a risk factor was universal, only 14% of reporting companies highlighted cybersecurity as a strategic focus, and only 6% disclosed that cybersecurity was a topic of shareholder engagement conversations.
Cybersecurity Risk Management: 71% of reporting companies described efforts to mitigate cybersecurity risk, such as investing in personnel, training, and monitoring, or the establishment of procedures and processes. 30% referenced response planning, disaster recovery or business continuity considerations. 3% identified preparedness included simulations or tabletop exercises or other response readiness initiatives. 15% of reporting companies disclosed the use of education and training efforts to mitigate cybersecurity risk. 5% disclosed collaborating with peers, industry groups, or policymakers. 14% disclosed the use of an external independent advisor.
The report also offered a brief list of questions for corporate boards to consider with respect to cybersecurity issues:
- Has the board formally assigned responsibility on cybersecurity matters—at the board and management levels?
- Does the board have access to the needed expertise on cybersecurity? And is the board getting regular updates and reports concerning cybersecurity risk strategy and event preparedness?
- Does the board have regular briefings on the evolving cybersecurity threat environment and how the cybersecurity risk management program is adapting? How is the board actively overseeing the company’s investments in new cybersecurity technologies and solutions?
- Does the board know how management has performed in recent tabletop exercises simulating cybersecurity incidents—and has the board participated in any such exercises?
- Is the board hearing directly from and having a dialogue with third-party experts whose views are independent of management?
- How will the SEC guidance and investor interest impact 2019 disclosures?
In conclusion, the authors noted that “as cybersecurity threats evolve and risks become more complex and widespread, focus on corporate disclosures in public filings on the subject likely will intensify.”
Cybersecurity disclosures – particularly disclosures related to data breach-related incidents and data privacy – have been and will continue to be an area of significant scrutiny, not only by investors and other stakeholders, but also by regulators and plaintiffs’ attorneys. Indeed, cybersecurity, data breach, and data privacy disclosure issues have been a significant source of securities class action litigation so far this year.
By the same token, in its recent annual report, the SEC highlighted the fact that it had brought its first cybersecurity disclosure-related enforcement action earlier this year. The enforcement division also highlighted the fact that as of the end of the 2018 fiscal year on September 30, 3018, the agency had over 225 cyber-related investigations ongoing, many of which undoubtedly are related to cybersecurity disclosures.
Clearly, cybersecurity-related disclosure practices are a key consideration for any publicly traded company interested in trying to mitigating its securities class action and securities enforcement exposures. The EY report highlights the fact that cybersecurity disclosure best practices are still evolving; indeed, given the nature of the underlying risk, which is itself rapidly evolving, the likelihood is that cybersecurity-related disclosure practices will continue to evolve. But well advised companies will seek to ensure that their disclosures provide significant insight into the state of the company’s cybersecurity oversight and readiness.
The growing risk of cybersecurity-related securities litigation and enforcement action clearly is a concern for D&O insurance underwriters. Underwriters increasingly will include a review of cybersecurity-related disclosure practices in their consideration of their public company accounts and applicants. Underwriters have and will continue to have an interest in developing their own understanding of cybersecurity disclosure best practices. The rise in the importance of cybersecurity disclosure practices is just one more example of the way in which D&O insurance underwriting is shifting away from its almost exclusive prior of focus on financial statement analysis and toward a broader array of qualitative considerations.
This Week: I will be heading out to San Diego tomorrow for the annual PLUS Conference later this week. On Thursday morning, I will be participated in a panel with Nora McGee of AIG and Cathy Padalino of AON on the topic “New D&O Exposures & Coverage Trends in Underwriting.” I hope everyone will be there. I will be around the conference venue as well. I hope readers who see me will make a point of stopping to say hello, particularly those whom I have not previously met. See you all in San Diego!
There will be a brief interruption in The D&O Diary’s publication schedule while I am away. The normal publication schedule will resume when I return.