What are companies disclosing about their efforts to oversee cybersecurity risk? In this article, Ernst & Young analyzes cybersecurity-related disclosures in the proxy statements and Forms 10-K of Fortune 100 companies from 2018 to 2019, focusing on disclosure regarding board oversight, cybersecurity risk and risk management. Building on its similar analysis conducted for 2018 (see this PubCo post), EY detected “modest” enhancements in disclosures compared to the prior year—most significantly regarding board oversight practices—although the depth, detail and company-specificity of the disclosures continued to vary widely. Nevertheless, based on its observations of companies’ activities in the market, EY found that even these enhanced disclosures sometimes failed to capture all of a company’s oversight activities, such as third-party independent assessments or tabletop exercises designed to enhance preparedness. Given that many stakeholders have interests in cybersecurity risk preparedness and board oversight, EY advises, enhanced disclosure can serve to build “stakeholder confidence and trust as the cybersecurity risk landscape evolves and as technological…
