Topic

The report findings suggest that, in advance of the SEC rules taking effect, companies are making a concerted effort to signal to stakeholders that they have an effective approach to managing cybersecurity threats.

October 19, 2023

U.S. Companies Step Up Cyber Risk Mitigation Disclosures in Advance of Forthcoming SEC Requirements

ROCKVILLE, Md. (October 19, 2023) – ISS Corporate Solutions, Inc. (ICS), a leading provider of compensation, governance, cyber risk monitoring, and sustainability offerings to help companies improve shareholder value and reduce risk, today announced the findings of an analysis of U.S. companies’ disclosures of their cybersecurity risk oversight measures. The analysis comes on the heels of rules announced by the U.S. Securities and Exchange Commission (SEC) in July requiring public companies to disclose their cybersecurity risk management strategies and governance practices annually, as well as any material cybersecurity incidents.

The report findings suggest that, in advance of the SEC rules taking effect, companies are making a concerted effort to signal to stakeholders that they have an effective approach to managing cybersecurity threats. The analysis finds that nearly all companies in the Russell 3000 provide disclosures that include at least an overview of the company’s general approach to information security risk mitigation, with more than half of these also including detailed disclosures about their information security risks as well as strategies or plans to mitigate them. When looking at just those in the S&P 500, more than 80 percent of companies include such details regarding both the risks and methods used for mitigation.

Furthermore, more companies are detailing the presence of an information security training program, representing an increase of nearly 55 percent among S&P 500 companies and 100 percent among the Russell 3000 (excluding the S&P 500) over the past two years. The number of companies disclosing the presence of an information security risk insurance policy has also risen over the same timeframe, with nearly 67 percent of S&P 500 companies and 57 percent of Russell 3000 (ex. S&P500) companies having noted the presence of security risk insurance as of September 2023.

Cybersecurity risk oversight has increasingly become a board-level concern, and more companies are seeking to demonstrate that directors have the necessary expertise to confront the challenge. The final version of the SEC rules excluded an anticipated requirement that boards explicitly disclose the cyber-related expertise of directors; regardless, many investors recognize that directors have a duty to exercise diligence in information security oversight for the benefit of shareholders and that having directors with relevant skills signals to investors that the board has the necessary expertise to effectively oversee cybersecurity risks. ICS’ analysis finds that directors with information security expertise are more common among larger companies, with more than half of S&P 500 companies having at least three directors with the relevant expertise. Among the Russell 3000 (ex. S&P500), however, more than 40 percent of companies do not disclose having any directors with cybersecurity expertise, and only about 20 percent of companies have more than three directors with such skills.

Meanwhile, the report finds that a select handful of companies, 16 S&P 500 and 22 Russell 3000 (ex. S&P500), include cybersecurity measures as part of either annual or long-term executive compensation incentive programs.

“The SEC’s new cyber disclosure rules are a forcing function for management teams and boards,” said Doug Clare, Managing Director and Head of Cyber Strategy at ISS Corporate Solutions. “As companies will now need to make more robust disclosures about their cyber risk management practices, the rules will undoubtedly compel many firms to adopt more robust processes worthy of the disclosure.”  

Read the full ICS analysis here.

###

About ISS Corporate Solutions
Companies turn to ISS Corporate Solutions, Inc. (“ICS”) for expertise in designing and managing corporate governance, executive compensation, cyber risk monitoring, and sustainability programs that align with company goals, reduce risk, and manage the needs of a diverse shareholder base by delivering best-in-class data, tools, and advisory services. Our global client base extends to companies located across North America, Europe, and Asia. ICS is a wholly owned subsidiary of Institutional Shareholder Services Inc. (“ISS”) and is headquartered in Rockville, Maryland. ISS’ Global Research Department, which is separate from ICS, will not give preferential treatment to, and is under no obligation to support, any proxy proposal of a company (whether or not that company has purchased products or services from ICS).  Similarly, ISS’ responsible investment research and analytics teams will not provide preferential treatment to, and is under no obligation to provide a favorable rating, assessment and/or any other favorable result to any corporate issuer (whether or not that corporate issuer has purchased products or services from ICS). No statement from an employee of ICS should be construed as a guarantee that ISS will (a) recommend that is clients vote in favor of any particular proxy proposal nor (b) provide a favorable rating or other assessment of any corporate issuer. For more information, please visit https://www.isscorporatesolutions.com/.

Media Contact:
Audrey Dedrick
Associate, Communications
media@isscorporatesolutions.com                                                                              

Share this
Get WEEKLY email ALERTS ON THE LATEST ISS INSIGHTS.