Below is an excerpt from ISS Corporate Solution’s recently released paper “Cybersecurity Disclosures: What progress has been made?” The full paper is available for download from the ISS Corporate Solutions (ICS) online library.
Summary:
Disclosures on cybersecurity practices for the S&P 500 and the remainder of the Russell 3000 are inching forwards in the face of increased expectations to be introduced by the Securities and Exchange Commission (SEC) in early 2023, though not in every instance. To determine progress, ISS Corporate Solutions assessed data on the Governance Quality Scores (GQS) of companies against a series of 11 cyber security GQS questions, including: “How often does senior leadership brief the board on information security matters?” and “Is the company externally audited or certified by top information security standards?”
Our observations of many of the GQS questions, companies’ disclosure practices have increased marginally in advance of the coming SEC regulations
Key Takeaways:
- Increases in disclosures include:
- companies indicating clear approaches to identifying and mitigating information security risks
- senior leadership briefing boards on information security, only a minimal increase
- information security training programs
- the number of companies with independent information security committees in the S&P 500
- the number of companies with an information security risk insurance policy
By: Paul Hodgson, Senior Editor, ISS Corporate Solutions
