Woman standing in an ice cave, Fox Glacier, South Island, New Zealand

Cybersecurity oversight disclosures: what companies shared in 2024

Authors

15 minute read 15 Oct 2024
Related topics
EY Center for Board Matters

Many companies continue to increase their voluntary cybersecurity oversight disclosures to inform investors.

In brief

  • As the speed and complexity of cyber attacks increase, boards are enhancing their cyber expertise and engaging with cyber risk professionals.
  • Directors are playing a key role in supporting a company’s robust approach to cybersecurity by addressing cyber risks at the intersection of cybersecurity and corporate strategy.
  • Leading companies test cybersecurity response and resilience though a variety of exercises that involve the board of directors.

It is often a balancing act, as companies aim to disclose relevant information to the investment community on risk mitigation and responses to material incidents, while limiting information that could be exploited by adversaries and bad actors.

Disclosures play an important role in communicating with the investor community and stakeholders more broadly. In the quarter century since cyber risk became a core item on the board agenda, directors have recognized that it is an ever evolving issue, requiring constant diligence and a focused approach to enable effective oversight. The past year has seen an increase in the sophistication in cyber threats, which has prompted companies to improve their cybersecurity frameworks, but also helped adversaries improve the sophistication of attacks.

Notable developments in cybersecurity risks

  • New technologies are enabling growing threats: Generative AI (GenAI) is now being used in some way by nearly every company (93%), and many report that they have plans to use GenAI to improve cybersecurity1 by helping companies identify potential cyber risks, detect vulnerabilities and breaches, and prioritize cybersecurity efforts. However, cyber threats continue to grow. Last year the FBI saw a 10% increase in complaints and a 22% increase in losses suffered — now $12.5b per year.2 Nearly a third (32%) of these incidents involve some type of extortion scheme, such as ransomware.3
  • Employees play a role in most cyber breaches: More than two thirds of breaches include some involvement by company workers through phishing, behavior manipulation or other methods to obtain and exploit employee credentials.
  • Third-party cyber risks are growing: Reliance on third parties for increasingly complex IT operating environments is expanding the threat surface area — the places where an adversary may attack. It also may create single points of failure in critical systems that can be disrupted.
  • Growing use of external advisors: Due to its continuously evolving nature, cybersecurity is an area of constant diligence for directors and boards. Disclosures about the company’s use of an external independent advisor more than doubled from 43% in 2023 to 87% in 2024 and 10% reported that their boards engage with one.

How EY can help

 

2024 cyber disclosure trends

 

Since we started tracking cyber disclosures in 2018, there has been a steady increase in voluntary cybersecurity disclosures. The SEC now requires publicly listed companies to disclose a wide variety of cybersecurity risk management and oversight information, including how the board is governing cyber risk.4

 

Overall public companies continue to disclose greater amounts of information about cybersecurity. Every aspect of cybersecurity we track in disclosures has increased since we began this effort in 2018. An analysis of cybersecurity oversight disclosures made by Fortune 100 companies reveals the following:

 

  • Audit committees continue to oversee cyber: Despite an increasingly heavy workload, 81% of Fortune 100 companies report that cybersecurity oversight falls to the audit committee, up from 61% in 2018.
  • Cyber expertise is in demand: Although the SEC cyber disclosure rule does not require companies to report on the cyber expertise of board members, our review of company filings show that cyber expertise is in demand. Nearly three quarters (72%) of companies disclose cyber as an area of expertise sought in the board and nearly as many (71%) disclose cybersecurity in at least one director biography, up from 34% in 2018.
  • Dedicated cyber risk experts are engaging with the boardroom: 70% of companies report that the Chief Information Security Officer (CISO) provides the board cyber risk information — up from just 9% in 2018.
  • Dedicated board time on cyber: More than half (57%) report the frequency of meeting with management on cybersecurity as at least annually or quarterly. The remaining are less specific, saying frequently or periodically. This is more than four times those with a similar disclosure in 2018.
  • Preparedness exercises are common: Nearly half of companies (47%) now report performing simulations, tabletop exercises, or response readiness tests as part of their preparation efforts — up from just 3% in 2018.

 

Fortune 100 company cybersecurity disclosures

 

What follows is an analysis of Fortune 100 company disclosures. As of May 31, 2024, 79 of these companies filed their proxy forms and 10-Ks, and these companies formed the universe for this analysis. The work reflects observations across company filings for the past seven years. Because of the timing of fiscal years, some now-required cyber disclosures appear to be less than 100 percent. For voluntary disclosure, just because a matter is not disclosed does not mean it is not performed. It simply means that the company did not include disclosures about the activity in their filings.

Select a board oversight category

Topic

2024

2022

2020

2018

Disclosed that at least one board-level committee was charged with oversight of cybersecurity matters*

95%

89%

85%

76%

Disclosed that the audit committee oversees cybersecurity matters

81%

72%

67%

61%

Disclosed oversight by a risk committee

13%

11%

10%

9%

Disclosed oversight by a technology committee

10%

9%

8%

9%

Disclosed oversight by another committee (e.g., compliance)

8%

8%

8%

3%

Topic

2024

2022

2020

2018

Cybersecurity disclosed as an area of expertise sought on the board or cited in at least one director biography

85%

68%

61%

42%

Cybersecurity disclosed as an area of expertise sought on the board

72%

51%

35%

19%

Cybersecurity cited in at least one director biography

71%

56%

49%

34%

Topic

2024

2022

2020

2018

Provided insights into management reporting to the board and/or committee(s) overseeing cybersecurity matters**

96%

78%

57%

51%

Identified at least one C-suite role providing cybersecurity insights to the board (e.g., the CISO or CIO)

84%

42%

25%

18%

Chief Information Security Officer specifically mentioned (CISO)

70%

28%

16%

9%

Chief Information Officer specifically mentioned (CIO)

28%

16%

10%

8%

Chief Technology Officer specifically mentioned (CTO)

11%

4%

0%

8%

Included language about frequency of management reporting to the board or committee (most of this language was not specific)

95%

70%

46%

34%

Disclosed reporting frequency of at least annually or quarterly; remaining companies used terms like “regularly” or “periodically”

57%

44%

18%

13%

Topic

2024

2022

2020

2018

Referenced efforts to mitigate cybersecurity risk, such as the establishment of processes, procedures and systems

100%

99%

95%

85%

Disclosed alignment with external framework or standard**

57%

20%

4%

2%

National Institute of Standards and Technology (NIST)

47%

14%

3%

1%

International Organization for Standardization (ISO)

20%

4%

1%

1%

Other**

14%

 6%

0%

0%

Referenced response readiness, such as planning, disaster recovery or business continuity considerations

95%

73%

65%

53%

Stated that preparedness efforts include simulations, tabletop exercises or response readiness tests

47%

9%

6%

3%

Stated that the company maintains a level of cybersecurity insurance

25%

20%

13%

8%

Included cybersecurity in executive compensation considerations

11%

10%

6%

1%

Topic

2024

2022

2020

2018

Disclosed use of education and training efforts to mitigate cybersecurity risk

82%

47%

28%

15%

Topic

2024

2022

2020

2018

Disclosed collaborating with peers, industry groups or policymakers

28%

14%

10%

6%

Topic

2024

2022

2020

2018

Disclosed use of an external independent advisor

87%

34%

16%

15%

* Some companies delegate cybersecurity oversight to more than one board-level committee.

**Some companies disclose more than one external framework or standard to which they seek to align. Such frameworks or standards cover different scopes and may not cover all aspects of the enterprise; some, but not all, include external certification or attestation. Other frameworks or standards not broken out here include the Payment Card Industry Data Security Standards, Health Information Trust Alliance, System and Organization Controls 1 and 2, and more.


Download the full report to read more about these cyber disclosures trends.

Leading practices in cybersecurity oversight

Based on EY discussions with directors, industry groups, cyber leaders and public policy professions, we have identified these 10 leading practices to help boards oversee cyber risk.

Practice

Actions to take

Questions to consider

Elevate the tone

Establish cybersecurity as a key consideration in all board matters. If technology is a cornerstone of most business decisions, then cyber risk considerations should be part of board and management discussions about strategy, product and service growth plans, digital transformation, and so on.
  • What parts of our business are most vulnerable to cybersecurity disruptions?
  • What critical single points of failure are existential risks to the company?

Stay diligent

Address new issues and threats stemming from remote work and the expansion of digital transformation.
  • How does the company assess, monitor and improve its cyber risk culture?
  • Who is in the best position to provide this information to the board?

Determine value at risk

Reconcile value at risk expressed in dollar terms against the board’s risk tolerance, including the efficacy of cyber insurance coverage.
  • What metrics can best show the company’s value at risk?
  • How well does the company’s risk tolerance match its value at risk?

Leverage new analytical tools

Such tools inform the board of cyber risks ranging from high‑likelihood, low‑impact events to low‑likelihood, high‑impact events (i.e., a “black swan” event).
  • How does management determine which risks should be elevated to boardroom conversation?
  • How confident is the board that it’s having discussions about the right risks? 

Embed security from the start

Embrace a “secure by design” philosophy when designing new technology, products and business arrangements. Last year, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and international partners published secure-by-design and -default principles and approaches.
  • What is the company’s approach to secure by design?
  • How does the board know that this approach is being followed?

Independently assess

Obtain a rigorous third‑party assessment of the company’s cyber risk management program (CRMP), including testing of critical systems and processes.
  • How did management determine who to partner with for a third-party assessment?
  • What are the most important areas of disagreement with the third-party review and what are the planned action steps?

Evaluate third-party risk

Understand management’s processes to identify, assess and oversee the risk associated with service providers and third parties involved in your supply chain.
  • What third parties represent a single point of failure to critical systems?
  • What do we know about the risks posed by third parties and their downstream suppliers and providers?

Test response and recovery

Enhance enterprise resilience by conducting rigorous simulations and arranging protocols with third‑party specialists before a crisis.
  • What experience does the board have with realistic and complex simulation exercises?
  • How are the outcomes of the simulations incorporated into the company’s crisis response planning?

Understand escalation protocols

Have a defined communication plan for when the board should be notified, including incidents involving ransomware.
  • Under what conditions is the board notified and how long should it take?
  • What is the board’s role in the plan and how will the board be notified if it changes?

Monitor the regulatory and public policy landscape

Stay attuned to evolving oversight practices, disclosures, reporting structures and metrics and understand implications for how the company is staying in compliance with requirements.
  • Who is responsible for monitoring the regulatory and public policy landscape?
  • How are relevant groups notified and processes updated with relevant changes?

Download the full report to read more including sample language from public cyber disclosures.

Questions for the board to consider

  • How does the board determine if its board and committee portfolios are best aligned to oversee the company’s evolving cybersecurity needs?
  • Does the committee currently overseeing cyber risk have adequate time and resources to do its job?
  • What information has management provided to help the board assess which critical business assets and partners, including third parties and suppliers, are most vulnerable to cyber attacks?
  • How do the board’s current cyber skills and expertise map to the company’s current and future needs?
  • If expert knowledge by the board is needed, how would it get it?
  • How does the board view the importance of a single cyber expert vs. a broad set of board members with cyber expertise?
  • How does the board ensure that it is receiving the right information from management on cyber risk?
  • How does the board ensure that it is hearing from the right voices on cyber risk?
  • Does management provide a holistic perspective on cyber risk ranging from threats and response to the state of the company’s cyber risk culture?
  • Which external cybersecurity framework is used, why was it chosen, and would management choose it again if making the decision today?
  • How does the board know that the company’s cyber crisis response plans are up to date and relevant?
  • What roles and responsibilities does the board have during a cyber risk event and which are the responsibilities of management?

Questions for the board to consider

  • How does the board determine if its board and committee portfolios are best aligned to oversee the company’s evolving cybersecurity needs?
  • Does the committee currently overseeing cyber risk have adequate time and resources to do its job?
  • What information has management provided to help the board assess which critical business assets and partners, including third parties and suppliers, are most vulnerable to cyber attacks?
  • How do the board’s current cyber skills and expertise map to the company’s current and future needs?
  • If expert knowledge by the board is needed, how would it get it?
  • How does the board view the importance of a single cyber expert vs. a broad set of board members with cyber expertise?
  • How does the board ensure that it is receiving the right information from management on cyber risk?
  • How does the board ensure that it is hearing from the right voices on cyber risk?
  • Does management provide a holistic perspective on cyber risk ranging from threats and response to the state of the company’s cyber risk culture?
  • Which external cybersecurity framework is used, why was it chosen, and would management choose it again if making the decision today?
  • How does the board know that the company’s cyber crisis response plans are up to date and relevant?
  • What roles and responsibilities does the board have during a cyber risk event and which are the responsibilities of management?

Questions for the board to consider

  • How does the board determine if its board and committee portfolios are best aligned to oversee the company’s evolving cybersecurity needs?
  • Does the committee currently overseeing cyber risk have adequate time and resources to do its job?
  • What information has management provided to help the board assess which critical business assets and partners, including third parties and suppliers, are most vulnerable to cyber attacks?
  • How do the board’s current cyber skills and expertise map to the company’s current and future needs?
  • If expert knowledge by the board is needed, how would it get it?
  • How does the board view the importance of a single cyber expert vs. a broad set of board members with cyber expertise?
  • How does the board ensure that it is receiving the right information from management on cyber risk?
  • How does the board ensure that it is hearing from the right voices on cyber risk?
  • Does management provide a holistic perspective on cyber risk ranging from threats and response to the state of the company’s cyber risk culture?
  • Which external cybersecurity framework is used, why was it chosen, and would management choose it again if making the decision today?
  • How does the board know that the company’s cyber crisis response plans are up to date and relevant?
  • What roles and responsibilities does the board have during a cyber risk event and which are the responsibilities of management?

Summary

We have been tracking cyber-related disclosures since 2018. Since then, we’ve observed a steady increase in voluntary cybersecurity disclosures in every disclosure aspect we track. Our analysis shows that audit committees continue to oversee cybersecurity even with an increasingly heavy workload, and even though the SEC cyber disclosure rule does not require companies to report on the cyber expertise of board members, company filings show that cyber expertise is in demand.

Reports from previous years

Download What cyber disclosures are telling shareholders in 2023

PDF (2 MB)

Download How cyber governance and disclosures are closing the gaps in 2022

PDF (4 MB)

About this article

Authors

Related topics
EY Center for Board Matters

Related articles

How boards can champion a resilient talent strategy

We highlight four opportunities for boards to champion a resilient talent strategy.

Jamie Smith

How boards can embrace and oversee AI with curiosity and care

Lessons from the 2024 EY Board Strategy Summit: Board oversight of AI from

Ted Acosta, II + 1

2024 proxy season review: Five takeaways

We highlight five proxy season trends to help directors understand the evolving proxy landscape and changing stakeholder expectations.

Jamie Smith

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.