Corporates Bolster Their Defenses Amid Growing Cyber Risk

Cyber risk management is a growing corporate governance priority, amidst a proliferation of cyber threats, headline-grabbing cyber incidents and an increasing focus from investors and regulators. Companies with strong cyber risk management and mitigation programs benefit by reassuring stakeholders that they are committed to safeguarding operations, reputation, and long-term viability.

ISS ESG collects corporate information on security related disclosures, many of which contribute to its Governance QualityScore Audit/Other Risks category ranking. In this blog post, we examine the current state of corporate cyber disclosures and how they have trended over the past three years, focusing on key datapoints that indicate strong cyber risk management practices including:

• Employee training programs
• Board briefings and their frequency
• Directors with information security expertise
• Supply-chain risk management
• Materiality assessment frameworks

Both the frequency and sophistication of ransomware attacks increased markedly in 2024. Last July  there were 58% more publicly disclosed attacks than the prior year. In the first half of 2024, the average extortion demand per attack was over $5.2 million.[1]

The attacks themselves are becoming more sophisticated as new ransomware strains proliferate, and Ransomware-as-a-Service grows into a cottage industry.

Since many ransomware attacks are enabled by social engineering or credentials compromise, companies are responding by ramping up training programs aimed at mitigating these risks. Since 2022, disclosure of such programs has more than doubled among Russell 3000 firms, while all but 5% of the largest 500 companies are now disclosing such programs. Although smaller companies lag, the growth trend is clear across market-cap segments.

With the SEC now mandating disclosure of firms’ management and board oversight of cyber-related risks, the number of companies conducting at least annual briefings has more than doubled since 2022. More than 70%  of S&P 500 companies brief their board at least once a year and more than half of the remaining Russell 3000 companies do the same.

It is important to note that the new regulations only deal with disclosure of how and whether boards are involved in managing cyber risk, and don’t require any specific level of involvement or action.  Regardless, boards are clearly more engaged and paying closer attention to these risks.

While it had been widely expected that the would require the disclosure of cyber-related skillsets on the board, ultimately this specific item was dropped from the rules.  But just the expectation that this would be included may have changed behavior, with the disclosure and presence of information security experience on the rise. Certainly, information security experience is more relevant than ever; but once a board achieves a critical mass of say, two to three directors with this expertise, these numbers may stabilize among the largest companies. Across the broader Russell 3000, however, we still only see about one third of companies disclosing more than one expert director and more than 40% not disclosing any.

*ISS considers a director to have information security skills if they have any current or previous employment with companies in information security or relevant industries, current or previous employment positions relevant to information security, certifications in information security or similar, or explicit disclosure of information security expertise.

The prevalence of supply-chain risk management programs is encouraging.  ISS-Corporate research indicates that third-party incidents make up a third of all cyber breach incidents reported by publicly traded companies. The fact that 75% to 80% of the Russell 3000 companies are disclosing a formal supply-chain/third-party cyber risk management program suggests that firms are taking these risks seriously.

Lastly, the new SEC regulations require timely disclosure of material incidents. Having a framework in place to determine materiality will facilitate compliance, while waiting for an incident to occur and then trying to determine materiality on the fly could be challenging. The fact that more than 20% of all companies have already established these frameworks is encouraging, and we expect the number to grow since it is such a key component of the SEC’s new compliance rules.

As shown here in the ISS ESG data sets, several key categories of cyber-related disclosures have rapidly gained prevalence. While this is partly due to the changing nature and growing threat of cyber events, it seems likely that both the anticipation and implementation of the new SEC disclosure rules also played a role. Since these rules are intended to provide investors with a transparent discussion of cyber risk, it stands to reason that investors are focused on these disclosures as well as cyber risk management outcomes.

ISS ESG offers investors cyber governance insights through the Audit/Other Risks category ranking of Governance QualityScore, as well as an empirical, technology-informed measurement of cyber risk management practices through the ISS Cyber Risk Score.  Together, these metrics provide a view into both management involvement and the practical implementation of sound cyber risk management practices.  Both are available to corporate issuers through ISS-Corporate, enabling firms to see themselves through the same lens as their investor stakeholders.

NOTES:

[1] TRM Labs. (2024). Ransomware in 2024: Latest trends, mounting threats, and the government response. Retrieved from https://www.trmlabs.com/post/ransomware-in-2024-latest-trends-mounting-threats-and-the-government-response