Corporate Disclosure of Cyber Risks May Get More Detailed Following a Change in ESG Ratings

Published: April 2021


With cyber risk gaining more attention following increased security breaches and a rise in remote working, a closely followed ESG rating system is adding new cyber questions to its scoring methodology. This could prompt companies to disclose more specifics on how they manage related risks.

The growth of environmental, social and governance (ESG)-focused investors and more robust corporate disclosure has spawned dozens of outside ratings that attempt to quantify how well companies are addressing ESG issues. One of the most visible ratings comes from the large and influential proxy advisory firm Institutional Shareholder Services (ISS) with its QualityScore ratings. In the firm’s latest update to its methodology, ISS is adding cyber-related questions — a hot topic in the remote working environment.

QualityScore ratings are included for informational purposes in ISS’ annual research reports, which also contain voting recommendations to investors for annual shareholder meetings. While such ratings generally do not impact ISS’ actual voting recommendations, their visibility within the reports makes them a frequent topic of conversation within the boardroom. As such, when ISS publishes its annual methodology updates, companies typically look at their own disclosure to determine accuracy and whether there are certain disclosure enhancements that could be made to improve their QualityScore rating.

As with other areas of public disclosure, companies need to balance their desire for improved governance ratings with potential risks of over-disclosing on topics. This is especially true when you realize that the ISS governance ratings do not directly impact actual proxy voting recommendations or outcomes. It’s also important to remember that changes in ESG ratings by agencies are not always, or even often, a reflection of the actual practices of the individual company. It’s often driven by intricate and evolving changes to methodologies.

“Companies should focus on managing their ESG risk and opportunities based on internal business needs while also balancing what competitors are doing on these items as well — as opposed to doing what a rating agency rates as best practice,” says Laura Wanlass, a partner in Aon’s human capital practice and global governance leader. Nonetheless, it’s important to track changes from ratings agencies and be aware of their potential implications and how to message outcomes of ratings scores to investors and other stakeholders as needed, she says.

Cyber-Related Questions for 2021

Starting this year, ISS includes several cyber-related questions in the ISS QualityScore updates, under the sub-categories of “Information Security Oversight” and “Information Security Risk Management Oversight.” 

The table below shows the questions in which the firm is using to rate companies.

The questions under the Information Security Oversight subcategory are commonly disclosed in the proxy statement already (often under the board oversight risk section and board matrices/board skills and qualifications sections). However, the questions ISS is including under Information Security Risk Management Oversight are not only uncommon in the marketplace but could result in risks associated with disclosing sensitive information should it be included in publicly filed Form 10-K disclosures.

We reviewed 10-K disclosures at S&P 1500 companies that have filed a Form 10-K for the most recent fiscal year as of January 31, 2021. Key findings include:

  • Most of the companies disclose their compliance with The California Consumer Privacy Act, General Data Protection Regulation and other Regional Cyber Regulations Act.
  • Mostly the cyber-related risk is regulated by a specific board committee, often the audit committee.
  • A majority of companies disclose their preventive measures to reduce risk related to cyber. However, fewer firms disclosed details about actual steps taken, such as implementing firewall, auto backups and anti-virus software.
  • Some companies had a designated cyber risk position in leadership, with chief information or security officer being most prevalent.
  • Some companies engaged with third parties, however there was no disclosure of the vendor name.
  • Most companies maintain cyber insurance, however there was no disclosure of their coverage amount.

Risks of Disclosing Too Much

Our research finds that detailed disclosure surrounding cyber breaches and insurance coverage are uncommon. Public companies are balancing the need for transparency on their cyber-related practices — which can boost their ratings score and please ESG-savvy investors — with the risk of divulging vulnerable information on a firm’s cyber prevention plans.

The same challenge applies to third-party organizations. Organizations often fall short in identifying very specific risks based on their industry or sector, as well as assets that pose the most potential risk. For example, if you are a credit card processor, your largest risk is that your “vault” of credit card information is compromised. This would result in significant fines and fees from government entities, fees or sanctions from industry bodies, and significant reputational damage. A similar risk exists for hospital groups’ patient health records. Yet, most companies are very generic in their disclosure, even when there are opportunities to be more specific and relate risks back to the unique nature of a business’ operations.

“We are constantly taking questions from our clients about trying to find the right balance between what they need to disclose to give stakeholders comfort that they have sufficient controls in place, while not going so deep that it raises lots or questions or red flags. Companies have an opportunity to improve cyber disclosure by providing more specificity around risk mitigation efforts unique to their industry,” says Christopher J. Uriarte, chief information officer, Aon’s Cyber Solutions.

For more information about how we work with C-suite and boards on cyber risks and disclosure, please contact the authors or write to

General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Talk to an Expert

Let us know how we can help and a member of our team will be in touch shortly.

Aon group companies will use your personal information to contact you from time to time about other products, services and events that we feel may be of interest to you. All personal information is collected and used in accordance with our privacy statement.

If you do not wish to receive these communications, please check here: