Chuck Seets is Americas Assurance Cybersecurity Leader and Pat Niemann is Americas Audit Committee Forum Leader at EY. This post is based on their EY memorandum.
Cybersecurity is reaching an inflection point. Risks are growing and broader regulations are looming. Some companies are keeping pace, but others are lagging, both in disclosures and warding off threats. To close these gaps, directors should foster a culture of cooperation while elevating the tone at the top.
This is the year for directors to double down on closing the gaps in the company’s cybersecurity defense and disclosure practices. The risks companies face, already high, are multiplying and accelerating, marked this year by potential threats tied to the war in Ukraine. Meanwhile, more guidance on cyber oversight and disclosure is here or on its way, from the Securities and Exchange Commission (SEC or commission), which proposed new rules earlier in 2022; and from Congress, which recently passed far‑reaching legislation. Additionally, Institutional Shareholder Services Inc. (ISS) added 11 new cyber risk factors to its Governance QualityScore in 2021.
In our latest analysis of cyber‑related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies, we found more companies providing information about how they are rising to the challenges. Yet in some areas, the gaps in information are nearly universal. For instance, only 9% disclosed performing response readiness simulations.
