For the third consecutive year, EY analyzed cybersecurity-related disclosures by companies by examining proxy statements and 10-K filings. This year’s study of 76 Fortune 100 companies over the time period from 2018 through May 31,2010 found modest increases in disclosures — most significantly in the area of BoD oversight — but a continued lack of disclosures related to cyber-readiness simulations and the use of independent third-party advisors. Only 7% of companies disclose engaging in cyber-readiness simulations, and only 16% disclosed using external independent advisors.
Just 5% ‘included cybersecurity in executive compensations considerations’, up from 1% in the last 2 years. EY points out that in cases in which shareholders have proposed including cybersecurity metrics into compensation, the proposals only received 17% support in shareholder votes. Companies explained that either there is unclear correlation between exec actions and the prevention of cybersecurity incidents or that cybersecurity considerations are already included in executive performance calculations.
The fact that it is still rare for executive compensation to be linked to cybersecurity performance is problematic but not surprising. Aligning executive compensation with efforts to protect a company’s digital assets should be the rule, not the exception. But it also requires the right metrics that correlate executive action with better asset protection and lower financial risk for the company. The lack of cyber-financial metrics to date is one reason the unclear correlation between action and risk management performance has persisted.
- the significant increase in the cyber threat facing companies, including operational disruptions like ransomware
- the risk of significant economic and financial losses due to poor cyber and;
- the fact that the difference between successful vs unsuccessful digital transformations has become the difference between overall corporate ‘winners’ and ‘losers’ within and between sectors
Then ask yourself: “why would the C-suite not be held accountable for these issues?”
The very low percentage of companies disclosing preparations such as simulations/tabletop exercises or using external advisors suggests that many large companies continue to underinvest in robust cyber risk management systems. We have recently discussed the importance of cyber-attack preparations such as establishing a playbook and engaging in simulations here and here.
In addition, the lack of disclosure is itself a problem if more companies actually do engage in these cyber security activities. More than ever, stakeholders such as customers, regulators and investors need to know that companies are taking cyber risks seriously, and formal disclosures on control measures are one way for companies to demonstrate the seriousness with which they take the issue.
As we discussed in yesterday’s story about CEO liability to cyber breaches, this environment is rapidly changing. Compensation committees need to rapidly incorporate these realities into executive contracts as well. And it does not boil down to a binary issue of ‘have we been breached or not?"
The Cyberhedge Indices prove that: 1. good and bad performance can be objectively measured and 2. the markets already reward the good and punish the bad.