This article analyzes the cybersecurity disclosures of 30 public companies in the Lonergan Silicon Valley 150 (SV150), providing insights into their approach towards cybersecurity. It examines board oversight, management roles, cybersecurity frameworks, and the length of disclosures, highlighting the transparency and accountability in managing cybersecurity risks.
Board Oversight of Cybersecurity Risks
( Credit to: Jdsupra )
The U.S. Securities and Exchange Commission (SEC) has introduced new rules mandating annual cybersecurity disclosures by public companies. This analysis examines the cybersecurity disclosures of 30 public companies in the Lonergan Silicon Valley 150 (SV150) to gain insights into their approach towards cybersecurity.
( Credit to: Jdsupra )
Among the SV150 companies reviewed, 75% disclose that the audit committee plays a key role in cybersecurity risk oversight. Additionally, two companies disclose that the nominating and governance committee has primary oversight of cybersecurity risks. Only a few companies (5) state that the full board retains primary oversight, while none of the companies disclose the existence of a cybersecurity-specific board committee.
Management's Role in Cybersecurity
( Credit to: Jdsupra )
Companies are required to describe management's role in assessing and managing cybersecurity risks. Approximately one-third of the SV150 companies reviewed disclose the existence of a management-level cybersecurity-specific committee. This demonstrates that these companies have dedicated resources and structures in place to address cybersecurity concerns.
( Credit to: Jdsupra )
The reviewed companies also disclose specific management positions responsible for managing cybersecurity risks. On average, companies disclose around 1.7 management positions, with the Chief Information Security Officer (CISO) being the most commonly mentioned position (22 companies). The Chief Information Officer (CIO) is also cited by seven companies. Other management positions mentioned include the chief legal officer, chief security officer, chief technology officer, and other vice presidents or chief-level positions.
Adoption of Cybersecurity Frameworks
( Credit to: Jdsupra )
While not mandated by the SEC's rules, it is interesting to note that two-thirds of the SV150 companies reviewed reference at least one cybersecurity framework. The most commonly referenced framework is the NIST Cybersecurity Framework, cited by 16 companies. The International Organization for Standardization (ISO) framework, including ISO 27001 and 27002, is mentioned by 11 companies. Other frameworks mentioned include the Center for Internet Security, the Payment Card Industry Data Security Standard, HIPAA, and SOC 1 and SOC 2.
( Credit to: Jdsupra )
Length of Cybersecurity Disclosures
( Credit to: Jdsupra )
The average length of the cybersecurity disclosure in the Form 10-K filings of the reviewed companies is approximately 962 words. This provides a comprehensive overview of the companies' cybersecurity risk management strategies.
The length of the disclosures varied, with the shortest being 428 words and the longest being 1,421 words. These disclosures offer valuable insights into how Silicon Valley companies are addressing and managing cybersecurity risks, enhancing transparency and accountability in this critical area.
Conclusion
The analysis of cybersecurity disclosures by Silicon Valley companies reveals that a majority of these companies have delegated primary oversight of cybersecurity risks to the audit committee. Additionally, many companies have established management-level cybersecurity-specific committees and have identified specific management positions responsible for managing cybersecurity risks. The references to various cybersecurity frameworks indicate that companies are adopting recognized standards to guide their cybersecurity practices. Overall, these disclosures provide valuable insights into how Silicon Valley companies are addressing and managing cybersecurity risks, enhancing transparency and accountability in this critical area.
