7 Ways Companies’ Cyber-Related Governance Disclosures Will Evolve Post-SEC Rule Change

The increased frequency and severity of cyberattacks has resulted in increased pressure on companies at a global level to prepare for, mitigate against, and disclose the impacts of these attacks. This pressure may be most clearly illustrated by the SEC’s recently adopted rules around incident disclosure. Beyond the SEC, investors have also recognized the increased […]

Feb 20, 2024 - 21:05
0
7 Ways Companies’ Cyber-Related Governance Disclosures Will Evolve Post-SEC Rule Change
Posted by Garrett Muzikowski and Sara Sendek, FTI Consulting, on Tuesday, February 20, 2024
Editor's Note:

Garrett Muzikowski is a Senior Director, and Sara Sendek is a Managing Director at FTI Consulting. This post is based on their FTI Consulting memorandum.

The increased frequency and severity of cyberattacks has resulted in increased pressure on companies at a global level to prepare for, mitigate against, and disclose the impacts of these attacks. This pressure may be most clearly illustrated by the SEC’s recently adopted rules around incident disclosure. Beyond the SEC, investors have also recognized the increased importance of portfolio companies successfully overseeing and managing cybersecurity risks.

Large investors and their stewardship teams, as well as proxy advisors, are rapidly evolving their expectations for Boards and management teams to demonstrate robust cybersecurity programs are in place:

  • Glass Lewis’ 2024 Policy Updates included a new approach to cyber risk oversight which can lead to recommended votes against directors where a company has been impacted by a cyberattack;
  • ISS ESG introduced a Cyber Risk Score for companies, which scores companies on cyber risk oversight on management disclosures, to “help investors predict portfolio companies’ relative exposure to cyber breaches within the next 12 months”;
  • BlackRock provided specific commentary on its approach to data privacy and security topics, including how the stewardship team views cybersecurity as a material risk and its approach to engaging with boards and management teams on the topic;
  • Vanguard’s Stewardship Annual Report provided direct reference to productive engagements it had with a handful of companies directly on cybersecurity risks; and
  • State Street’s Asset Stewardship Report identified cyberattacks as its first emerging systemic risk for markets and global economies – ahead of geopolitical risks and the possibility of a recession.

This should not come as a surprise. As cybersecurity risks have become more prevalent and costly, shareholders have put increased expectations on the Board, who is in place to protect the value of their investment.

Here are seven ways cyber disclosures of publicly traded companies should evolve to meet investor expectations:

(more…)

Read More