Public company audit committees are talking about cybersecurity risks more than ever before, according to a recent report from the Center for Audit Quality.

The report said that the number of S&P 500 companies disclosing that the audit committee is responsible for cybersecurity risk oversight grew from 11 percent to 34 percent in four years. Further, the number of companies that disclose whether the board has a cybersecurity expert has grown from 7 percent to 23 percent in the same period. Similarly, when a company does have a cybersecurity expert, the number of companies disclosing on what board committee(s) the cybersecurity expert serves has grown from 7 percent to 22 percent.

This is part of an overall trend toward more disclosures. The most common disclosures are discussions of non-audit services and the impact on independence (84 percent of companies reporting), auditor tenure (71 percent), criteria for evaluating the audit firm (50 percent) and the involvement in audit partner selection (50 percent).

The report noted, though, that there remain significant areas of no or minimal disclosure. This includes such categories as significant areas addressed with the auditor (0 percent for S&P 500), how the audit committee considers auditor compensation (2 percent), and discussion of audit fees and its connection to audit quality (4 percent).

The report recommended that audit committees include more discussion points, as well as make more disclosures around audit firm evaluation, audit engagement partner selection and audit firm compensation.