The latest risk factor review by Deloitte and the USC Marshall Arkley Institute for Risk Management also specifically considered cybersecurity risk factors in annual reports filed by S&P 500 companies between November 8, 2022 and May 10, 2023. While all of the companies addressed cybersecurity risk in at least one risk factor and over 80% addressed it in multiple risk factors, the data highlights how different — and difficult to compare — cyber incident disclosures in risk factors were in 2023:
– Over 40% of companies, 179 of the 440 companies in our review, disclosed explicitly that they had not experienced a material cybersecurity incident.
- Over half of those companies stated they had not experienced a material cybersecurity incident “to date,” while most other companies did not include any time period. Eight companies did limit the disclosure to the past year or past three years. Two companies disclosed that they had not experienced a material cybersecurity incident since the date of a previous material cybersecurity incident. […]
- Ten additional companies disclosed that they had not experienced a “significant” cybersecurity incident.
- Over 50% of companies remained silent, not disclosing whether or not they had experienced a material cybersecurity incident.
- Approximately 3% of companies disclosed that cybersecurity incidents in the aggregate were not material. […]
– About 10% of companies, 47 of the 440 companies in our review, discussed [that] they experienced specific cybersecurity incidents, all identifying the date of either the incident, the discovery of the incident, or the announcement of the incident.
- Only four companies stated explicitly that the incident was “material.” Four noted the incident was “significant.” Thirteen companies stated the incident was not material, another noted the incident was not significant, another, “relatively modest.” The rest of the companies—just over half—discussed neither materiality nor significance.
- A few companies discussed cybersecurity incidents impacting a specific industry or a broad group of companies, but not necessarily incidents which they directly experienced.
The blog discusses the SEC’s recent cybersecurity rulemaking and reminds companies that risk factor disclosure that predated the SEC rules will need to be carefully reviewed and vetted for alignment with any newly prepared disclosures.
– Meredith Ervine