Topic

The heightened threat of a breach has spurred greater scrutiny of companies’ [cyber] programs and practices from proxy advisors, regulators, and investors. As a result, companies are building into their disclosures more comprehensive reporting of mitigation efforts to deal with potential risks.

October 20, 2023

Cyber Governance: Growing Expectations for Information Security Oversight and Accountability

Cyber Governance:Growing Expectations for Information Security Oversight and Accountability

Below is an excerpt from ISS Corporate Solutions’ recently released report Cyber Governance: Growing Expectations for Information Security Oversight and Accountability”. The full report is available on the ISS Corporate Solutions online library.

Information security is increasingly being viewed as a key corporate governance issue within the investment community, and expectations are growing for public issuers to have robust programs and strategies to help mitigate cybersecurity threats. Businesses that fail to adopt such measures risk becoming market laggards and may face increased risk of a material security breach. There is a clear trend toward more detailed disclosures of cybersecurity risk oversight. Does the company have a cybersecurity strategy?; an information security training program?; information security risk insurance?; directors with cyber expertise?; management briefings to the board?; and reporting on cyber incidents? Boards can no longer take a passive approach, and investors increasingly expect boards to put in place a framework for sound cybersecurity oversight that better positions the company to mitigate vulnerabilities.

KEY TAKEAWAYS

  • Nearly all companies in the Russell 3000 provide disclosures that include at least a general approach to information security risk mitigation. More than 80% of S&P 500 companies include detailed disclosure of both risks and strategies to mitigate them.
  • More companies are disclosing the presence of an information security training program, an increase of nearly 55% among S&P 500 companies and 100% for Russell 3000 (Ex. S&P500)  over the past two years. The number of companies disclosing the presence of an information security risk insurance policy has also risen over the same timeframe.
  • Boards are increasingly under pressure to recruit directors with cybersecurity expertise although disparity exists between larger companies in the S&P 500, where nearly 54% have at least three directors classified with the skill, and the rest of the Russell 3000, where nearly 43% do not have any board members with relevant information security expertise.
  • Only a few companies, 16 in the S&P 500 and 22 in the remainder of the Russell 3000, include cybersecurity measures as part of either annual or long-term executive compensation incentive programs.

Read the full report > 


By: Liam Hardy, Senior Associate, ISS Corporate Solutions

Share this
Get WEEKLY email ALERTS ON THE LATEST ISS INSIGHTS.