Steve W. Klemash is Americas Leader at the EY Center for Board Matters; Jamie C. Smith is Investor Outreach and Corporate Governance Specialist at the EY Center for Board Matters; and Chuck Seets is Americas Assurance Cybersecurity Leader at EY. This post is based on their EY memorandum.
Cybersecurity risk is intensifying, particularly with widespread remote working and increased online interactions amid the pandemic. The rapid adaptation of multiple business processes and protocols to enable this virtual environment has exponentially increased the corporate attack surface and introduced new risks to the confidentiality, integrity and availability of critical company data and supporting systems.
The return of some workers to a physical workplace is also raising new data security risks and privacy questions, with companies collecting data related to employee, contractor and customer health such as COVID-19 testing, temperature checks and contact tracing. At the same time, harnessing new and disruptive technologies—and enabling the trust of stakeholders and the marketplace in doing so—is key to helping organizations lead, innovate and differentiate.
In this environment, remaining cyber-resilient and building stakeholder trust in the company’s data security and privacy practices is a strategic imperative. Public disclosures can help build trust by providing transparency and assurance around how boards are fulfilling their cybersecurity risk oversight responsibilities.
For the third consecutive year, EY researchers have analyzed cybersecurity-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies to identify emerging trends and developments and help companies identify opportunities for enhanced communication. We looked at 76 Fortune 100 companies that filed those documents from 2018 through May 31, 2020. We focused on the areas of cybersecurity board oversight (including board-level committee oversight and director qualifications), statements on cybersecurity and data privacy risks, and risk management (including cybersecurity risk mitigation and response efforts and engagement with external security consultants). We also examined the current regulatory and US public policy landscape as it relates to cybersecurity, as well as perspectives from investors, directors and EY cybersecurity professionals.