This audio is automatically generated. Please let us know if you have back.
Diving brief:
- Audit committees at America’s largest companies have this decade expanded their oversight beyond financial challenges to encompass risks related to cybersecurity, sustainability and artificial intelligence, EY said Monday.
- The proportion of companies citing sustainable development as an audit committee responsibility jumped to 22% this year compared to 6% in 2021, found EY in a survey of Standard & Poor’s 500 companies.
- “This dynamic is likely related to companies preparing to comply with various new global reporting standards, including climate-related disclosure requirements from the Securities and Exchange Commission,” EY said in a report.
Dive overview:
TThe SEC this year eased requirements for a rule focused on climate risk disclosure before suspend regulation facing legal challenges. Companies would be required to disclose the impact of climate change on their finances, operations and business strategy.
Since Gary Gensler was appointed SEC Chairman by President Joe Biden in 2021, mentions of the environment and climate in audit committee descriptions of S&P 500 companies have doubled from 7%. to 14% this year, EY said.
In many cases, audit committees focus on the reliability of environmental, social and governance information, including controls and procedures, as well as sustainability risks, EY said.
Gensler, the climate risk disclosure rule’s leading advocate, said that in recent years, institutional and retail investors have demanded companies provide detailed and consistent disclosures about ESG risks.
Nearly four in five investors (79%) said boards should demonstrate expertise in climate, cybersecurity and other risks detailing their work to limit such risks, EY said, citing another survey.
A growing proportion of audit committees oversee cybersecurity risks at most large companies, EY said. The share of S&P 500 companies citing cybersecurity as an audit committee responsibility increased from 25% in 2019 to 77% this year, according to EY.
Under Gensler, the SEC required publicly traded companies to disclose information about a material cybersecurity incident on Form 8-K within four business days of determining that incident to be a material event. Companies may only delay disclosure when the Attorney General concludes that such disclosure would pose a significant risk to national security or public safety.
The SEC rule also requires companies to identify a committee or subcommittee of the board of directors to oversee cybersecurity risks. The proportion of S&P 500 boards that do not have proxies assigning cybersecurity to a specific committee has fallen to 5%, from 15% in 2021, EY said.
Companies are beginning to disclose some level of AI risk oversight and most often cite risk as an audit committee oversight point, EY said.
“AI is starting to emerge as an area of focus for committees,” EY said, noting that 13% of technology committee descriptions cite the rapid evolution of technology.
