Audit committees expand oversight to ESG, cybersecurity, AI: EY
Nov. 18, 2024
Nearly four out of five investors said boards should demonstrate expertise in climate, cybersecurity and other risks by detailing their work to limit such hazards, EY said.
Dive Brief:
Audit committees at the largest U.S. companies have expanded their oversight this decade beyond financial challenges to encompass risks in cybersecurity, sustainability and artificial intelligence, EY said Monday.
The proportion of companies citing sustainability as an audit committee responsibility surged to 22% this year from 6% in 2021, EY found in a survey of Standard & Poor’s 500 firms.
“This momentum is likely connected to companies preparing to comply with various new global reporting standards, including the Securities and Exchange Commission’s climate-related disclosure requirements,” EY said in a report.
Dive Insight:
The SEC this year blunted requirements of a rule focused on climate risk disclosure before putting the regulation on hold in the face of legal challenges. Companies would be required to disclose the impact of climate change on their finances, operations and business strategy.
Since the appointment of Gary Gensler as SEC Chair by President Joe Biden in 2021, mentions of the environment and climate in audit committee descriptions at S&P 500 companies have doubled from 7% to 14% this year, EY said.
Audit committees in many cases focus on the reliability of environmental, social and governance disclosures, including controls and procedures, as well as risks related to sustainability, EY said.
Gensler, the leading champion of the climate-risk disclosure rule, has said institutional and retail investors during the past several years have sought detailed and consistent corporate disclosure about ESG risks.
Nearly four out of five investors (79%) said boards should demonstrate expertise in climate, cybersecurity and other risks by detailing their work to limit such hazards, EY said, citing another survey.
A growing proportion of audit committees oversee cybersecurity risk at most large companies, EY said. The share of S&P 500 companies that cite cybersecurity as an audit committee responsibility increased to 77% this year from 25% in 2019, according to EY.
Under Gensler the SEC mandated that publicly traded companies disclose information about a material cybersecurity incident on Form 8-K within four business days of determining that incident is a material event. Companies may delay disclosure only when the Attorney General concludes that such a revelation would pose a substantial risk to national security or public safety.
The SEC rule also requires companies to identify a board committee or subcommittee to oversee cybersecurity risks. The proportion of S&P 500 boards that lack proxy disclosures assigning cybersecurity to a specific committee has fallen to 5% from 15% in 2021, EY said.
Companies are beginning to disclose some level of oversight for AI risks, and most commonly cite the risk as a point of audit committee oversight, EY said.
“AI is starting to emerge as an area of committee focus,” EY said, noting that 13% of technology committee descriptions cite the quickly evolving technology.
[CFO Dive]