The issue of cybersecurity has been a key concern for companies since the beginning of the Information Age. The severity of potential damage as a result of cybersecurity risk to companies is significant.
The threat extends beyond corporate damage to the nation’s economy and security. In addition, the severity of the issue could lead to increased personal liability for board directors. Professionals in the IT, legal and insurance industries are eager to help, but board directors aren’t always taking advantage of their expertise, despite the difficulty in managing cybersecurity risks.
While an increasing number of boards have taken a keen interest in cybersecurity issues, many boards have not met the issue with an effort that’s on the same level as the degree of risk that it presents.
Many boards are falling between not being concerned enough about cybersecurity and just not knowing what they’re supposed to do about it.
What Are Board Directors Saying About Cybersecurity?
The most recent PwC Annual Directors’ Survey gives us a pretty good indication that too few board directors are taking cybersecurity seriously.
- Regarding whether directors feel that they had delegated the right entity to manage cybersecurity, which, in most cases, is the board, the audit committee or the risk committee, about 78% felt they had gotten it right.
- Only around 66% of boards reported that they were getting meaningful reporting about cybersecurity from management.
- Less than 63% of boards acknowledged that they were giving cybersecurity enough attention on their board agendas.
- Only 53% of boards have a comfort level with the company’s crisis response plan.
- Some 41% of boards felt they got sufficient continuing educational opportunities on cybersecurity, while 40% of boards said they understood the company’s cybersecurity strategy, and only 37% indicated that they understood the cybersecurity risks they were facing.
- Regarding director expertise on cybersecurity, only 36% of boards stated that it was enough.
When directors were asked about the types of cybersecurity issues they had discussed, 78% said that they had discussed a crisis response plan in the event of a major security breach and 74% talked about the company’s cyber insurance coverage. When asked about discussing whether to engage an outside cybersecurity expert, 74% of boards said yes and 71% said they had talked about a cybersecurity expert’s evaluation. About 58% of board directors indicated that they had talked about cyber risk disclosures in response to SEC guidance, 53% had talked about hiring a CISO, 42% had discussed an actual breach of their company’s security, and 42% had the Department of Homeland Security/NIST cybersecurity framework on their board agendas. These numbers represent increases of only about 25 points since 2014.
In essence, organizations need more IT expertise on their boards, and they need a greater degree of information and support for cybersecurity from management.
We’ll address more about what we’ve found on the confidence board directors have about cybersecurity and what we should do about it in part 2. Stay tuned!