Cybersecurity Oversight Disclosures - 10 Questions for Boards

This tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, provides questions for directors to consider in preparing a proxy statement or other disclosures related to the board’s oversight of cybersecurity.

Introduction

Cybersecurity remains front and center on corporate agendas, as risks and regulatory requirements both continue to proliferate, and AI introduces new dimensions to the threat landscape. Business leaders recognize that a strong cybersecurity posture can help build customer and stakeholder trust and strengthen competitive positioning: in a 2025 survey, no less than 85 percent of CEOs said they view cybersecurity as a critical component to achieving business growth.

Investors and other stakeholders are paying attention and seeking more information on how boards and company leaders oversee and manage cyber risks. BlackRock, the world’s largest asset manager, stated, “[We believe] that data security is a material issue for more and more companies and regularly [engage] boards and management teams regarding the oversight and management of data privacy and security, crisis preparedness and response as well as related company disclosures.”

The SEC’s rules on cybersecurity disclosures, which became effective in 2023, include several components related to board oversight, such as where oversight responsibilities are allocated and the process by which the board is informed about cyber risks. EY’s Center for Board Matters has tracked large-cap companies’ proxy statement disclosures related to cybersecurity oversight for several years. Beyond the now-required disclosures, we continue to see companies and boards disclosing additional information about their cybersecurity oversight activities on a voluntary basis. A few themes stand out:

• Audit committees are still the main focus for cybersecurity oversight, with 78 percent of large-cap companies disclosing that cybersecurity oversight is housed there.
• Cyber expertise is a sought-after boardroom skill. While the exact definition of “expertise” differs, 74 percent of companies included cybersecurity skills in at least one board member’s biography, up from 46 percent who disclosed this information in 2019.
• A majority of companies are engaging in cyber-preparedness exercises, with 58 percent reporting the use of simulations, tabletop exercises, or other tests, as compared to just 3 percent of companies that shared this in their proxies in 2019.

Increases in voluntary disclosures indicate companies are responding to demand for cybersecurity oversight information from investors and stakeholders, who see it as a vital area to the firm’s business strategy and risk profile. Figure 1 contains more detailed findings from our large-cap company analysis.

Questions Boards Can Ask About Cybersecurity Disclosures

Use these ten questions to inform boardroom discussions about enhancing cybersecurity communications to investors and other stakeholders:

1. Do we understand the priorities of our company’s major investors and other key stakeholders (suppliers, customers, employees, regulators, etc.) related to cybersecurity, data privacy, the impact of AI on cybersecurity, and other key technology risk and strategy issues?
2. How is the company using disclosures to effectively communicate the rigor of our cybersecurity risk management program, and related board oversight activities, to investors and other stakeholders?
3. How do we describe which board committee (or committees) have responsibility for oversight of cybersecurity matters? How do we describe how the full board is involved in cybersecurity oversight, in addition to the activities of key committees?
4. Is cybersecurity included in our board skills matrix, or other description of skills resident on the board? Do we identify one or more directors as having cybersecurity expertise, and what is the criteria by which the board defines such expertise? How do professional cybersecurity experience, credentials, or other knowledge appear in directors’ biographies?
5. Do we disclose any education board members are receiving on cybersecurity topics, including certifications, briefings from our external advisors, law enforcement, or other third-party experts?
6. How do we describe how the board and/or key committees receive information from management about cybersecurity matters? How do we describe how the board and/or key committees consider cybersecurity matters as part of their deliberations on strategy, financial oversight, and enterprise risk management?
7. How does the prominence and/or specificity of cybersecurity risk factors compare between our current enterprise risk assessments and our quarterly and annual reports?
8. How do we describe cybersecurity risk management activities, including
   1. policies and procedures
   2. response planning, disaster recovery, or business continuity
   3. simulations and tabletop exercises related to cyberattacks or breaches
   4. education and training efforts
   5. information sharing with industry peers, law enforcement, etc.
   6. use of an external independent advisor to support management and/or attest to cybersecurity assessment findings
9. How do our disclosures on board cybersecurity oversight compare to those of our competitors and industry peers?
10. How effective are our cybersecurity-oversight disclosures in balancing the need for confidentiality against the need and opportunity to demonstrate rigorous, structured oversight to stakeholders?

Figure 1. Selected Fortune 100 company cybersecurity oversight disclosures, 2019-2025

The following data is excerpted from EY’s analysis of the 80 companies on the 2025 Fortune 100 list that filed Form 10-Ks and proxy statements for 2019 through July 31, 2025. The data shows the shift in voluntary disclosures related to boards’ cyber-risk oversight practices from 2019 to 2025. Please refer to the article for the full data set.

* Percentages are based on total disclosures for companies. Some companies designate cybersecurity oversight to more than one board-level committee.
** Some companies disclose that they seek to align with more than one external framework or standard. Such frameworks or standards cover different scopes and may not cover all aspects of the enterprise; some include external certification or attestation. Other frameworks or standards include Payment Card Industry Data Security Standards, Health Information Trust Alliance, System and Organization Controls 1 and 2, and more.

Return: Toolkit For Action