7 Ways Companies’ Cyber-Related Governance Disclosures Will Evolve Post-SEC Rule Change

The increased frequency and severity of cyberattacks has resulted in increased pressure on companies at a global level to prepare for, mitigate against, and disclose the impacts of these attacks. This pressure may be most clearly illustrated by the SEC’s recently adopted rules around incident disclosure. Beyond the SEC, investors have also recognized the increased importance of portfolio companies successfully overseeing and managing cybersecurity risks.

Large investors and their stewardship teams, as well as proxy advisors, are rapidly evolving their expectations for Boards and management teams to demonstrate robust cybersecurity programs are in place:

• Glass Lewis’ 2024 Policy Updates included a new approach to cyber risk oversight which can lead to recommended votes against directors where a company has been impacted by a cyberattack;
• ISS ESG introduced a Cyber Risk Score for companies, which scores companies on cyber risk oversight on management disclosures, to “help investors predict portfolio companies’ relative exposure to cyber breaches within the next 12 months”;
• BlackRock provided specific commentary on its approach to data privacy and security topics, including how the stewardship team views cybersecurity as a material risk and its approach to engaging with boards and management teams on the topic;
• Vanguard’s Stewardship Annual Report provided direct reference to productive engagements it had with a handful of companies directly on cybersecurity risks; and
• State Street’s Asset Stewardship Report identified cyberattacks as its first emerging systemic risk for markets and global economies – ahead of geopolitical risks and the possibility of a recession.

This should not come as a surprise. As cybersecurity risks have become more prevalent and costly, shareholders have put increased expectations on the Board, who is in place to protect the value of their investment.

Here are seven ways cyber disclosures of publicly traded companies should evolve to meet investor expectations:

1. Oversight and Reporting Structure

Most existing proxies and committee charters already demonstrate what Board committee oversees cybersecurity, the management team members that lead a cybersecurity program, and maybe even the reporting frequency. As investors analyze these disclosures more closely, expect companies to provide more detailed insight into the oversight structure. Disclosures will evolve to clearly include the role of the Chief Information Security Officer (CISO) in the process, how cybersecurity is integrated into broader enterprise risk management, and provide insight into high-level cybersecurity topics discussed at the Board level.

2. Board Expertise or Board Education?

Despite the requirement being removed from the final SEC rule, many boards are grappling with the possibility of adding a “cyber expert” to the Board. For certain companies in certain industries, adding cyber expert(s) to the Board may be appropriate. Broadly speaking, however, investors do not currently expect every Board to have a cyber expert. Instead, investors will expect companies to disclose 1) the experience certain directors have that helped them develop technology or cyber-related skillsets and 2) the education and resources a company makes available to its Board regarding cybersecurity. At a minimum, Boards should demonstrate its directors have received educational material on cybersecurity, have access to independent cybersecurity experts, legal counsel, and other resources that position the Board to stay informed of emerging risks and trends.

3. Put Resources Behind the CISO

As the cybersecurity landscape has continued to evolve, the role of the CISO has evolved in tandem. As a result, it’s imperative that Boards and company leadership position the CISO to be successful. This means engraining the CISO with the management team and into strategy discussions, providing ample resources for the CISO to achieve their objectives, and providing a platform for them to communicate effectively with the Board. All CISO’s – at public companies or not – should invest in honing communications and leadership skills, through programs like FTI Consulting’s Secure Your Seat, to keep pace with escalating demands.

4. Board Awareness of Preparedness

Incident response plans and tabletop exercises should evolve as the cyber risk environment changes and as disclosure requirements have changed. While a Board may not be overly involved in this actual process, investors will want to know the Board is aware of how the company prepares for an incident and that it has an infrastructure in place to oversee incident response.

5. Targeted, Enhanced Investment

Cybersecurity may be more pertinent of a risk in certain segments, for certain products, or for certain personnel. Additionally, cyber and data security can become a heightened risk where artificial intelligence has recently been adopted. Investors will look for companies to identify these parts of the business and demonstrate extra investment or procedures in place to address the heightened risk.

6. Proactively Engage Investors

The time to engage with investors on cyber is not after an investor votes against directors or after a cyber incident. It’s now. Investors’ disclosure expectations are changing and will continue to change in the future. Boards and management teams should proactively engage with their investors on cybersecurity to understand what investors expect from them.

7. Experience An Attack? Don’t Shy Away From It

Cyber incidents are a fact of life for companies – not a sign of weakness. After an incident, investors will look to see that the incident was well-managed. Investors will want to see that a Board’s and management team’s existing processes and procedures were able to be actioned and linked to an outcome. Companies must show how the Board and management team implemented existing controls and procedures to help address the incident.