Print
E-MailPaul Ferrillo is partner at McDermott Will & Emery LLP; Bob Zukis is Adjunct Professor of Management and Organization at the USC Marshall School of Business; and Christophe Veltsos is a professor at Minnesota State University.
In 2018 the SEC issued its second round of guidance (the “2018 SEC Cyber guidance”) to registrants on what they expected cybersecurity disclosures to address in forthcoming periodic filings. The 2018 SEC Cyber Guidance followed guidance issued in 2011 and came shortly after the 2017 Equifax breach in acknowledgment that “Cybersecurity risks pose grave threats to investors, our capital markets and country,” as they stated in the guidance. With a focus on the materiality of cybersecurity risk and the importance of both the timely escalation of cyber incidents to the Board of Directors and the public disclosure of incidents to the markets, the 2018 SEC guidance was an important second step in imposing additional accountability around governing this significant business risk.
EY recently issued a research report on actual cybersecurity disclosures for 76 of the Fortune 100 companies from 2018 through May 2020 [1]. A few things stand out from the EY research. First, all of the companies in their research disclosed cybersecurity as a risk factor from 2018 through 2020, which was the focus of the 2011 SEC guidance. Only one company in 2020 did not disclose data privacy as a risk factor.
Second, there is a wide range of variance in the practices that are being disclosed for board oversight of cybersecurity and its risk management. In general, the data tells us that cyber risk oversight and management practices likely lag disclosure practice.
The cumulative risks and litigation exposures related to cybersecurity are only going up for all companies. As the amount of business value that is dependent upon digital means increases, the risks to that value naturally increase. Risks through regulatory fines are also material financial exposures and regulatory scrutiny is also only going to increase, not only in the United States, but in Europe as well.
Indeed, over € 550 million in fines have been imposed since Europe introduced their General Data Protection Regulation (GDPR). California’s Consumer Privacy Act also went into force July 1, 2020 and will also start to hold companies to a new standard of data privacy accountability. It is notable that over 60% of the fines imposed by GDPR are related to self-inflicted failings in effective cybersecurity risk practices. The largest cause, or source of fines, is the companies “Insufficient technical and organizational measures to ensure information security.” This reinforces our argument that cybersecurity risk practices, and disclosure, lags the actual risks that companies face.
We’ve highlighted some of the key points of the 2018 SEC Cyber Guidance alongside the results of EY research to demonstrate that is different ways, the SEC’s “expectations” are not necessarily being met by registrants.
Finally, we introduce a “next-generation” disclosure model that both amplifies and builds on the SEC 2018 guidance to fulfill the next logical objective in cybersecurity disclosures—reducing cybersecurity risk. We hope these recommendations can further develop investor transparency and trust in the spirit of the SEC guidance around the practices and policies that are focused on mitigating cybersecurity risk.
Overview of the 2018 SEC Cybersecurity Disclosure Guidance
The 2018 SEC Cyber Guidance [2] addressed several critical points focused on the disclosure practices of public companies with respect to cybersecurity risk. The Commission stated their objectives clearly by saying “…it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” [p. 4] The guidance also specifically addresses insider trading related to significant cybersecurity incidents and the need for policies and procedures to prevent this.
The Commission further stated that the key to these objectives is the “…development of effective disclosure controls and procedures…” [p. 5]. And they call out the need for directors to be properly informed about the “…cybersecurity risks and incidents that the company has faced or is likely to face.” The factual and forward-looking anticipatory nature of this expectation is a noteworthy expectation that places a challenging burden on corporate directors.
In addressing materiality the Commission notes “In determining their disclosure obligations regarding cybersecurity risks and incidents, companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations. The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.” [3]
This far-reaching materiality statement identifies several unique aspects of cybersecurity related to systemic risk. The “range of harm” statement specifically address the interconnected nature of digital business systems and the systemic risk inherent within them. That is, the risk of a threat starting in one part of a connected business system that spreads and threatens the larger connected system, even moving between companies. They also acknowledge the compound range of impacts that cybersecurity can have from regulatory fines, reputational impact to financial impact.
The 2018 SEC Cyber guidance also addresses incident escalation through effective disclosure controls and guidance and the boards role in overseeing cybersecurity risk. They note, “To the extent cybersecurity risks are material to a company’s business, we believe this discussion should include the nature of the board’s role in overseeing the management of that risk. In addition, we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.” [4]
We focus here on escalation and board oversight since they are linked. Without proper escalation procedures to senior management and ultimately the board, there is little chance that a board of directors will fully understand cybersecurity risk and its widespread implications.
Unlike some corporate disclosures, like issuing financial statements in according with generally accepted accounting principles (GAAP), cybersecurity risk is fluid, unpredictable, doesn’t adhere to a definitive rule set, escalates quickly and is inherently systemic. Many corporate boards also lack directors who understand cybersecurity, whereas most public company boards are well served by directors with finance and accounting backgrounds as a result of the boardroom reforms imposed by the Sarbanes -Oxley Act in 2002.
We believe the ability of the corporate board to make good faith and well-informed decisions around cybersecurity will continue to be an increasing focus of the Delaware courts. [5]
In summary, the 2018 SEC Cyber guidance focused on the key cybersecurity issues of materiality and timeliness of incident disclosure. Two critical issues in cybersecurity risk oversight and management. These critical dimensions supplemented the 2011 SEC guidance focused on the identification of cybersecurity risk factors. Our next-generation recommendations focus on building trust and transparency through enhanced disclosure on more specific risk mitigation practices. Here’s what the EY research tells us with regard to these recommendations.
The EY Research
Based on the EY disclosure research, all companies have identified cybersecurity risk factors throughout the three-year research period and only one did not disclose data privacy as a risk factor in 2020, down from 5 in 2018. While not a validation of the quality or accuracy of the risk factors identified, disclosure indicates that these companies are making a concerted effort to understand the impact of cybersecurity risk across their business.
But disclosure does not equate to better security, i.e., recognizing a risk doesn’t equate to reducing its impact. We believe that a deeper look at the practices and procedures disclosed around boardroom cybersecurity oversight and risk management in the EY research tells a story around the significant amount of work that still needs to be done to reduce cyber risk.
The E&Y Research—Boardroom Oversight
The lack of disclosure around the regularity of management’s reporting of cybersecurity risk was a significant research finding that troubles us. Given the real-time dynamic nature of cybersecurity risk, only 17% of companies in the EY research disclosed a structured reporting cadence from management, e.g., annually or quarterly. The other vast majority of responses used terms such as “regularly” or “periodic.” We believe the dynamic and material nature of cybersecurity risk requires quarterly reporting as a standing boardroom agenda.
Disclosure around director skills and experience in cybersecurity also indicates a potential weakness in the true ability of corporate boards to oversee cybersecurity risk. Only 46% of the companies EY researched indicated that cybersecurity was cited on a director biography. Directors can only govern what they understand. The indication that this skillset apparently is so lacking, or didn’t merit disclosure, indicates a likely weakness in many corporate boards’ capability to effectively oversee this issue.
Boardroom structure also has a large role to play in the effectiveness of corporate oversight. EY’s research indicates that 67% of the companies reviewed disclosed that their audit committee oversees cybersecurity matters—up from 59% in 2018. While at first glance this may be seen as a positive indicator, it’s potentially a “bad practice” depending upon the audit committee involved. Audit committees in general lack the skills and time to adequately address cybersecurity risk. This “bad practice” does little to adequately address, oversee and reduce the dynamic nature of cybersecurity risk.
Finally, in their research around cybersecurity risk management efforts, a startling low 7% of the 76 Fortune 100 companies disclosed that their cybersecurity preparedness efforts included simulations, tabletop exercises, or response readiness tests. Again, disclosure doesn’t mean the practices aren’t taking place, but disclosure of this fundamental practice is a strong signal of diligence to investors and regulators of preparedness.
| Guidance | Focus of Guidance | Objective of Guidance |
|---|---|---|
| SEC 2011 | Risk factors | Responsibility to understand impact |
| SEC 2018 | Materiality and timeliness | Responsibility to assess impact and timely disclose it |
| Next-Generation Recommendations | Board capability and approach to risk oversight | Responsibility to reduce risk and its impact |
Table 1 – Cybersecurity Disclosure Guidance Compared
Disclosure has an important role in informing investors and signaling to all stakeholders that the stewardship of the company is in good hands and effective oversight is taking place. Cybersecurity risk disclosures need to continue to evolve to reflect the systemic nature of this risk and the constantly expanding nature of this dynamic risk. We offer a next-generation model of cybersecurity disclosures that reflect a deeper level of disclosure around the practices and procedures that will indicate key risk mitigation practices to enhance trust and transparency for all stakeholders.
A Next-Generation Cyber Risk Disclosure Model
Cybersecurity disclosure is an evolving area without a generally accepted or applied approach; the EY research clearly indicates this. Moreover, practicing and disclosing what is preached needs careful consideration and alignment. One can only hope that the cybersecurity practices in place don’t always mirror some of the spartan disclosures identified in the EY research, although they probably do in many cases.
We draw your attention back to the 2018 SEC Cyber guidance on board involvement:
“In addition, we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”
“Discharging its risk oversight responsibility,” effectively translates into actively and effectively governing how management reduces/optimizes the companies cybersecurity risk profile and the cyber risk impact on the company’s business. The goals behind cybersecurity disclosure need to fulfill several objectives to this end:
- Exhibiting that the board has the ability to effectively understand and oversee cybersecurity risk and is considering its impact to the business effectively;
- Demonstrating that the board is regularly and fully informed of the company’s cybersecurity risk position;
- Showing that the organization is prepared to timely and effectively respond to a cybersecurity incident and;
- Displaying that cybersecurity risk is understood and is being effectively overseen and managed.
Our cybersecurity disclosure model accomplishes these goals for all stakeholders and signals to every constituency that cybersecurity risk management is a core competency of the organization. And maybe, since that company apparently has its cyber risk management function under control, there are easier targets elsewhere on attack.
We recommend the following disclosures in these four areas: Boardroom Capability, Boardroom Engagement, Cybersecurity Risk Practices and Cybersecurity Preparedness. We realize too that no two companies are alike, and thus no two disclosures will be alike. Nevertheless, it is our view that cyber risk disclosures should be made of:
Boardroom Capability
- List of directors with cybersecurity skills, abilities and experience
- The amount of annual education/training delivered to directors in digital and cybersecurity risk oversight
- List the use of outside experts and for what purpose
- Identify any frameworks, e.g., Director, that the board has been trained on or applies to understand cybersecurity risk
Boardroom Engagement
- Specify the number of times cybersecurity is discussed with management, e.g., quarterly
- List who in the management team reports to the board on cybersecurity
- Identify where on the board cybersecurity risk oversight responsibility is assigned, e.g., tech & cybersecurity committee, full board, audit committee
- Disclose how many times a year the board reviews the company’s regulatory exposure in cybersecurity and data privacy, and if it’s been assessed by third-party
Cybersecurity Risk Practices
- List any frameworks, e.g, NIST that the management team follows in managing cybersecurity risk
- Identify the reporting lines of the CISO
- Identify if cybersecurity risk is a component of executive compensation
- Disclose any collaboration with peers, industry or public-private partnerships
- Disclose the use of third-party advisors independently engaged by the boardroom for risk or vulnerability assessments
Cybersecurity Preparedness
- Identify the frequency with which the board goes through simulations, table-top exercises, and readiness exercise
- How many times a year the board reviews the company’s incident response, business continuity and crisis communication plan
- Disclose the frequency that employee training and cybersecurity awareness occurs
- Disclose the frequency that all company individuals and employees—and board directors—undergo targeted phishing attacks and email social engineering training.
Disclosure isn’t a “get out of jail free” card for boards and companies. It needs to be combined with the practices and procedures that actually reduce risk. But improving disclosure of these comprehensive practices, it will start to improve how boards and management teams take steps to reduce cybersecurity risk and strengthen investor trust
Endnotes
1https://www.ey.com/en_us/board-matters/what-companies-are-disclosing-about-cybersecurity-risk-and-oversight(go back)
2Securities and Exchange Commission, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 17 CFR Parts 229 and 249, February 26, 2018 https://www.sec.gov/rules/interp/2018/33-10459.pdf(go back)
383 FR at 8168-69.(go back)
483 FR at 8170.(go back)
5See “Boards Should Care More about Recent Caremark Claims and Cybersecurity,” available at https://corpgov.law.harvard.edu/2020/09/15/boards-should-care-more-about-recent-caremark-claims-and-cybersecurity/ [put in a footnote](go back)
