Cybersecurity Disclosures What Progress has been made?

Subodh Mishra is Global Head of Communications at Institutional Shareholder Services. This post is based on an ISS Corporate Solutions memorandum by Senior Editor, Paul Hodgson.

Disclosures on cybersecurity practices for the S&P 500 and the remainder of the Russell 3000 are inching forwards in the face of increased expectations to be introduced by the Securities and Exchange Commission (SEC) in early 2023, though not in every instance. To determine progress, ISS Corporate Solutions assessed data on the Governance Quality Scores (GQS) of companies against a series of 11 cyber security GQS questions, including: “How often does senior leadership brief the board on information security matters?” and “Is the company externally audited or certified by top information security standards?” Data was analysed most recently as of Oct 2, 2022.

Our observations of many of the GQS questions, companies’ disclosure practices have increased marginally in advance of the coming SEC regulations.

Key Takeaways

  • Increases in disclosures include:
    • companies indicating clear approaches to identifying and mitigating information security risks
    • senior leadership briefing boards on information security, only a minimal increase
    • information security training programs
    • the number of companies with independent information security committees in the S&P 500
    • the number of companies with an information security risk insurance policy
  • The number of companies with at least one director with information security experience increased marginally in the S&P 500, though it decreased in the Russell 3000, excluding the S&P 500

A number of companies have moved from general disclosure to a clear approach in terms of disclosing how they identify and mitigate information security risks, with those demonstrating a clear approach increasing by around 2 percentage points in both indexes.

There are growing numbers of directors with information security experience on boards, sometimes with large numbers on individual boards; there were 41 companies with 10 or more such directors in June. However, this number reduced to 38 in October, hypothetically because the definition of ‘information security experience’ has become more specific following the recent SEC proposed rule. However, as can be seen from the table below, there continue to be large numbers of companies in the Russell 3000, excluding the S&P 500, that have no directors with information security experience; almost half. Indeed, the number with no such directors increased from June to October, hypothetically for the same specificity reasons noted above.

The increase in the proportion of companies reporting that senior leadership briefs the board on information security matters either annually or more frequently is minimal, with the majority of the Russell 3000, excluding the S&P 500, not even disclosing that such briefings occur.

As regards security training programs, there are still very few disclosures, but again there has been a small increase in the number of companies indicating that they have a training program and that it is either annual and/or robust.

There has also been a small increase in the number of companies reporting that they have entered into an information security risk insurance policy, again, of around 2 percentage points.

While very few companies report information security breaches, those that do continue to be focused among the largest companies. Most breaches continue to be “not materially disruptive,” though even where there were costs and damages, these are often not disclosed. Very similar proportions are seen with companies reporting net expenses incurred from information security breach penalties and settlements over the last three years relative to total revenue.

The number of companies reporting an information security committee is increasing, both in the S&P 500 and the Russell 3000, excluding the S&P 500, though not by large amounts. However, the proportion of companies in the Russell 3000, excluding the S&P 500 with independent members on the committee is barely above half, while in the S&P 500 it now exceeds nine out of 10.

Even fewer companies in the Russell 3000, excluding the S&P 500, gave any information on whether the company was audited or certified by an external agency in October than made the disclosure in June. Even in the S&P 500 there was barely any increase in the numbers either partially or full disclosing external audits.

Both comments and trackbacks are currently closed.