Disclosures related to the audit committee’s responsibility for cyber-security risk oversight have increased significantly over the past five years. Thirty-nine percent of S&P 500 companies made such disclosures in 2020, up from 19 percent in 2018 and 11 percent in 2016. Further, 28 percent of S&P 500 companies disclosed whether their board has a cyber-security expert in 2020, up from 14 percent in 2018 and 7 percent in 2016. There were also significant increases in these disclosures over the same timeframe for S&P mid- and small-cap companies.
“Traditionally, corporate cyber-security programs were primarily the responsibility of the chief information security officer (CISO), and boards only had a fundamental understanding because it was somewhat a ‘black box.’ But the need for visibility into the cyber-security spectrum by the executive team and board is increasing as boards are facing questions from investors, customers, and regulators, and they have to educate themselves.”
David Kessler, VP and Associate General Counsel, IT and Cyber-Security, BAE Systems
The barometer includes specific examples of best practice cyber-security disclosures, which provide…
