Board Oversight of Cybersecurity Incidents

Technological advancements have improved the ways that companies collect, transfer, and process data within and between organizations, creating markets that are largely reliant on internet infrastructure for their day-to-day operations. While these technological advancements have increased the speed at which business is conducted and improved efficiency and economies of scale, this convenience can often come at the cost of cybersecurity. Hackers are constantly testing the defenses protecting corporate data, as evidenced by the explosive recent growth in the number of cyberattacks.

Many boards are already adapting to promote risk oversight that includes cybersecurity threats. There has been a significant increase in disclosure of companies’ and boards’ approaches to cybersecurity following the introduction of new SEC rules in July 2023. Those rules require disclosure of material cybersecurity incidents within four days, as well as a discussion of the role of management and the board’s committees in overseeing cybersecurity matters to be included in annual reports.

We found that approximately 74% of companies in the Russell 3000 index have taken the additional step of codifying oversight of cybersecurity at the full board level or with a board committee in their governing documents or committee charters. We view management and board oversight of cybersecurity as an essential component of a company’s preparedness for cyberattacks and expect that companies will continue to improve best practices for oversight and disclosure as attention to cybersecurity issues grows more widespread.

(more…)