EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
-
Discover how EY's cybersecurity, strategy, risk, compliance & resilience teams can help your organization with its current cyber risk posture and capabilities.
Read more
Cyberattacks have become more common in recent years and the price of paying off the criminals has “exploded,” said Patrick Hynes, a principal in the Advisory Cyber Threat Management practice of Ernst & Young LLP, citing EY internal shadow investigations showing that the average ransomware payment in fiscal year 2024 more than doubled to $8 million, from $3.7 million in FY2023. Worse yet, more companies are being targeted for ransomware, according to the shadow investigations.
A traditional ransomware attack involves a break-in and disruption of a company’s systems, with a demand for money (in bitcoin) to “unlock” the encrypted data, Hynes said. Now, more and more cyber criminals are turning to extortion, he said, by threatening to release highly sensitive or embarrassing information online. And even after a payment is made, there are no guarantees — all that a company gets is a “pinky promise” that the stolen data has been deleted.
The SEC’s July 2023 cybersecurity rule “is disclosure only,” said David Horn, a managing director in the Technical Accounting Advisory Group at Ernst & Young LLP. “It doesn’t require companies to change policies, procedures, processes or systems, but many have discovered they needed to make certain changes in order to comply with the disclosure requirements.”
A recent analysis of Form 10-Ks and proxy statements filed by Fortune 100 companies found that 81% have assigned cyber oversight to audit committees, compared with 61% in 2018; and 47% now perform simulations, tabletop exercises or response readiness tests, up from just 3% in 2018.1
As for the developing trends in disclosures, three stand out. They have to be tailored to the company’s specific facts and circumstances (one size does not fit all). Materiality determinations continue to be a challenge for many companies (as they need to consider both quantitative and qualitative factors). And several companies have reported incidents under Item 1.05 of Form 8-K, rather than under Item 8.01, after concluding that they were not material or materiality conclusions had not yet been determined.
Several finance executives said that they are grappling with oversight issues regarding the granting of access to company data, particularly when it comes to privileged access. Regular reviews on tighter schedules are needed to continue or revoke such access.
Another executive described the two attacks that her company experienced. One required disclosure; the other did not. A number of remediation efforts have been made, including introducing or strengthening preventive and detective controls and enhancing the company’s risk culture. Now, every employee is deemed to own the risk and has a role to play in controlling it.
The more recent breach “set a regular cadence of meetings once it was discovered — once a day or more — and then less as the incident matured,” the executive said. “We’re probably on a multi-year journey. We have a massive modernization going on to replace a ton of legacy technical systems with centralized tools and architecture.”