October 23, 2018

Cybersecurity: Fortune 100 Disclosure Practices

The SEC continues to ratchet up its scrutiny of cybersecurity issues. It issued disclosure guidance earlier this year & recently turned its attention to internal control implications of cybersecurity lapses.  But are companies getting the message?

This recent EY report provides some clues on the disclosure front.  It analyzes cybersecurity-related disclosures of Fortune 100 companies in proxy statements and Form 10-K filings. Not surprisingly, disclosure practices vary widely. Here are some some key findings:

– 84% of companies disclosed that at least one board-level committee was designated oversight of cybersecurity matters. At the same time, around 25% identified one or more “point persons” among the management team on cyber – e.g., the CISO or CIO.

– All companies included cybersecurity as a risk factor. In comparison, less than 15% voluntarily highlighted cybersecurity as a strategic focus in the proxy statement.

– 71% of companies described efforts to mitigate cybersecurity risk and 30% specifically referenced response planning, disaster recovery or business continuity considerations.

The report notes that cybersecurity risk management and incidents and related disclosures are a critical issue for investors & other key stakeholders. The SEC’s guidance & its high-profile enforcement proceeding involving Yahoo’s data breach indicate that this topic remains high on regulators’ list as well.

Cybersecurity: Board Oversight of a Dynamic Threat Environment

There’s also evidence to suggest that boards are taking cybersecurity threats – and the board’s oversight role in corporate efforts to prevent breaches – more seriously. For example, this recent EY memo reports on a recent cybersecurity board summit, in which 30 directors & other panelists participated. Here are some of the key takeaways:

– The board’s role is not cybersecurity risk management; it is cybersecurity risk oversight.
– Boards may need to restructure their committees and develop new charters to adequately oversee cybersecurity risk management.
– Directors want and need more education on cybersecurity risk.
– Boards need to engage a third party to independently and objectively assess whether the company’s cybersecurity risk management program and controls are meeting its objectives.
– These third parties should have direct dialogue with the board to report on the effectiveness of the company’s cybersecurity risk management program.
– Boards and companies need to adequately plan for a cybersecurity crisis, including having an arrangement with all their third-party specialists in place before a crisis hits.
– The board and management need to routinely practice the cybersecurity response plan.
– Management should consider providing the board regular updates with key metrics on critical cybersecurity controls communicated in plain English.

The memo notes that while improved detection efforts may increase the rate of cyber-related incidents, the rate of noteworthy incidents should decline as organizations improve how they manage and contain these incidents.

I’ve noticed that I blog a lot about cybersecurity. Maybe that’s because I’m a “Mr. Robot” fan – and I think anybody who’s watched that show probably has a bit of a knot in their stomach when they consider just how plausible the whole scenario of a truly devastating cyber-attack seems to be.

Theranos: “Things Fall Apart”

Despite my best efforts, I actually learned a few things in my college English classes. For example, I learned that everything Emily Dickinson wrote can be sung to the tune of “The Yellow Rose of Texas.” I also learned that John Keats’ last name is pronounced “Keets” & W.B. Yeats’ last name is pronounced “Yates.”

I also picked up a few lines from Yeats’ “The Second Coming”, one of which is “Things fall apart; the centre cannot hold.” That line came to mind when I read this article from MarketWatch’s Francine McKenna detailing the last days of Theranos. Check it out.

John Jenkins