Cybersecurity Oversight: The More Things Stay the Same, the More They Change

Public company disclosures reveal three shifts in cybersecurity oversight, including the adoption of maturity frameworks, tabletop exercises, and ongoing board education.

Cybersecurity can seem like an arms race: As threat actors escalate the frequency, scale, and sophistication of their attacks, company leaders are increasing their investments in defense and recovery to improve resilience. Public disclosures offer an interesting lens on the ways cybersecurity governance practices are keeping pace with these changes; they can also spark conversation among directors about continuous improvement in the board’s oversight of this evolving risk.

EY analysts have tracked board-related cybersecurity disclosures by large-cap public companies since 2019. While some types of cybersecurity oversight disclosures have been used consistently, even before the US Securities and Exchange Commission’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules became effective in December 2023, there have been significant increases in other cybersecurity disclosures over the last few years.

Below are three notable shifts in disclosure trends that should prompt boardroom discussions on how to keep cybersecurity oversight fit for purpose:

1.   Alignment with a cybersecurity maturity framework or standard. In 2025, 73 percent of Fortune 100 companies studied disclosed the use of one or more external frameworks, such as those published by the National Institute of Standards and Technology or the International Organization for Standardization, to benchmark their cybersecurity programs’ level of maturity, up from only 4 percent in 2019. Put simply, more companies are sharing this information as a way to demonstrate to customers, business partners, investors, and other stakeholders that they are taking a structured approach to assessing their cybersecurity defense activities.

Many directors also now hear from the chief information security officer (CISO) regularly about the maturity of the company’s cybersecurity program. In prior years, other members of the C-suite might have delivered reports to the board on cybersecurity matters. On some boards, this includes an executive session with the CISO, similar to those that audit committees convene with the chief financial officer or internal audit leader.

Regardless of who does the reporting, board members should question how the company assesses its cybersecurity program maturity against peers and other external benchmarks and whether such assessments are conducted internally by management or externally by a third party.

Directors should also request a firsthand report from the independent assessor so they have an opportunity to ask questions, including about the resulting action plans and timeline to address any gaps. Similar to other cybersecurity metrics, the assessment results should be framed in business terms, not in technical terminology that is geared toward information security professionals.

2.   Use of tabletop exercises or simulations. It has become commonplace for large companies to mention business continuity or disaster recovery planning in their disclosures; nearly all Fortune 100 companies studied referenced some type of response readiness in their 2025 proxy statements. Voluntary disclosures about tabletop exercises are less common but have surged in recent years, from 3 percent of companies disclosing this in 2019 to 58 percent in 2025.  

Directors should ask the CEO and senior leaders to describe how they measure the effectiveness of cybersecurity tabletop exercises and how their outcomes are incorporated into the company’s crisis response and recovery planning.

Additionally, board members should probe how tabletop exercises are refreshed as new risks, evolving technologies, and changing regulatory and compliance requirements emerge so exercise participants don’t fall into a “check-the-box” mode. Directors should also determine when and how the board can be involved in tabletop exercises, such as during a ransomware scenario that requires board approval of the decision to pay or not to pay the ransom.  

3.   Ongoing education for the board. Voluntary disclosures in this area have more than tripled since 2019, jumping from 25 percent to 86 percent of companies disclosing this. This aligns with what the EY Americas Center for Board Matters has observed in its board education work: Cybersecurity has consistently been the number-one topic requested for board and key-committee briefings, as directors seek to tap advisors to provide external perspectives on the cyber-threat environment, relevant regulatory developments, and trends in board oversight practices.

Briefings from independent advisors, law enforcement representatives, or other subject matter experts serve as a complement to, but not a replacement for, the information the board receives from management. Nominating and governance committees can review the board’s education calendar and identify opportunities to bring in these outside perspectives at breakfast or lunch talks during board meetings or schedule virtual discussions based on directors’ availability to avoid adding to packed meeting agendas.

Cyber risk is here to stay, and a resilient cybersecurity posture can help enhance stakeholder trust and improve competitive positioning. In a 2025 Gartner survey, 85 percent of CEOs said they view cybersecurity as a critical component of achieving business growth. Leading boards recognize this opportunity and are adapting their oversight activities to stay current and relevant as the risk environment continues to evolve.

The views expressed in this article are the author’s own and do not represent the perspective of NACD.

The views reflected in this article are the views of the author and do not necessarily reflect the views of Ernst & Young LLP or other members of the global EY organization.

Ernst & Young LLP is a NACD sponsor, providing directors with critical and timely information, and perspectives. Ernst & Young LLP is a financial supporter of the NACD.