Trends, surprises emerge from early research on cyber-related SEC disclosures
Rob Sloan, VP, Cybersecurity Advocacy, Zscaler
For the past few weeks, I’ve been heads down analyzing what we can learn about cybersecurity from proxy statements from S&P 500 companies. A few trends were expected, but the complete results were nevertheless surprising.
I broke down the findings into three broad areas:
- Board committee oversight of cybersecurity – Unsurprisingly, the majority of boards–four out of five–designate cybersecurity oversight responsibility to their audit committee. Despite authorities like the National Association of Corporate Directors recommending that cyber risk oversight is a full board issue, my research identified only 8% of the 500 companies that agreed in practice.
- Disclosure practices in proxy statements – Only 79% of companies judged it necessary to make any disclosures about their cyber programs to investors, and those that did often failed to disclose anything concrete. The analysis showed how few companies disclosed previous cyber incidents and showed only 8% stated they aligned with the National Institute of Standards and Technology’s Cybersecurity Framework.
- Disclosing director cybersecurity expertise – Disclosures around director expertise in cybersecurity are problematic. While announcing directors’ cybersecurity credentials was initially suggested as a component of the new SEC disclosures, it was ultimately dropped and the result appears to be “gaming” of the system by boards. Over half of boards included cybersecurity on their board skills matrix, but too often the skill was bundled with another broader skill, such as information technology, which allowed more directors to check the box.
I would love to hear your thoughts on my complete research. You can learn more
on LinkedIn or find a combined piece discussing it
here.