Enhancing Cybersecurity Oversight Disclosures—10 Questions for Boards

In brief: This tool provides directors with key questions to pose to their management teams on cybersecurity disclosures for the organization. Enhancing cybersecurity disclosures ensures that legal risks and cyber risks are both being adequately addressed. This tool originally appeared in the publication Cyber-Risk Oversight 2020: Key Principals and Practical Guidance for Corporate Boards.

This resource can help your board to 

• understand the legal impacts of cyber risks,

• question management on cybersecurity disclosures, and

• enhance cybersecurity disclosures within the corporation.

Most relevant audiences: Risk committee chairs, risk committee members, and CISOs

Cybersecurity attacks are among the gravest risks that businesses face today. EY’s 2019 CEO Imperative Survey found that CEOs ranked national and corporate cybersecurity as the top global challenge to business growth and the global economy. As discussed in Principle 2, directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances, including potential requirements related to disclosures. This Tool offers 10 questions that boards can ask to enhance cybersecurity disclosures within their organization.

In this environment, stakeholders want to better understand how companies are preparing for and responding to cybersecurity incidents. They also want to understand how boards are overseeing these critical risk-management efforts. EY’s annual Center for Board Matters investor outreach includes conversations with governance specialists from more than 60 institutional investors representing more than US $32 trillion in assets under management. Sixty-one percent of respondents said cybersecurity, regardless of sector, was among those elevated risk issues, even though investors characterize cyber risk as a pervasive and standard risk impacting all companies. Some of the key themes arising from those conversations were these:

• an interest in understanding how boards are structuring oversight (i.e., is a committee or the full board charged with that responsibility)

• how directors are developing competence around and staying up-to-speed on cyber issues

• how often and who from management is reporting to the board

• key features of how management is addressing cyber risk

• many investors also expressed interest in data-privacy issues and compliance with new privacy laws and regulations

In response, many companies are enhancing their cybersecurity disclosures, with the most significant changes related to board oversight practices. (See Figure 1.)  

The focus on the board’s compensation committee has never been sharper. The components of compensation plans and the link between compensation and company performance are under intense scrutiny from shareholders, employees, policymakers, the media, and other stakeholders. The Report of the NACD Blue Ribbon Commission on the Compensation Committee revisits NACD’s 2003 Report of the NACD Blue Ribbon Commission on Executive Compensation to highlight the new environment in which compensation committees—and, more broadly, boards—are now operating. It recommends that the compensation committee and board work together to establish an executive compensation philosophy that supports the company in creating long-term, sustainable value.

The report includes ten specific recommendations for compensation committees to consider when evaluating their compensation philosophies. It also provides practical tools, such as sample compensation committee charters, a compensation committee assessment, and guidance on executive employment contracts.