Confidence in Cybersecurity Grows at the Board Level
NACD finds greater satisfaction with management reporting; surveys show other risks gaining more attention
Friday, January 31, 2020
By Ted Knutson
Members of corporate boards are expressing growing confidence in their organizations' cybersecurity.
According to the National Association of Corporate Directors (NACD) 2019-20 Public Company Governance Survey, 66% of more than 500 respondents had increased confidence in their organizations' ability to effectively respond to a material cyber incident. That was up from 50% a year earlier, itself an indication that directors believed their companies were getting a better handle on one of the most preoccupying risks of the last decade - and that other threats were gaining in relative severity.
“Enhanced management reporting and greater transparency may have contributed” to the changing attitude toward cyber, NACD said in its December report on U.S. public company boards.
This is not to say that cyber attacks' severity is on the wane or being taken less seriously. When asked for five trends likely to have the greatest effect on their companies over the next 12 months, 49% named changing cybersecurity threats. That trailed growing business-model disruptions (52%), slowing global economy (51%) and increased competition for talent (51%).
What five trends do you foresee having the greatest effect on your company over the next 12 months?
Other Risks Rising
The trend is generally in line with other recent broad-based risk management surveys.
In the World Economic Forum Global Risks Perception Survey, economic confrontations was the No. 1 risk expected to increase in 2020, and cyber attacks ranked No. 5.
For banks in Accenture's 2019 Global Risk Management Study, financial crime and credit risk were the top concerns, followed by a tie between regulatory compliance and cyber threats. The last are “happening more often and with increasing sophistication. Cyber threats can't be brushed aside, due to the potentially significant financial and reputational damage they can inflict on an organization,” Accenture said.
One survey with cyber in the top spot - and for the first time - is the Allianz Risk Barometer 2020, with more than 2,700 respondents worldwide. Thirty-nine percent rated cyber incidents as the most important business risk, moving ahead of business interruption, at 37%. Seven years ago, cyber ranked 15th, at 6%.
“Incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands,” said Marek Stanislawski, deputy global head of cyber, Allianz Global Corporate & Specialty. “Five years ago, a typical ransomware demand would have been in the tens of thousands of dollars. Now they can be in the millions.”
In PwC's Annual Global CEO Survey, released in conjunction with the January meeting of the World Economic Forum in Davos, Switzerland, 36% were “extremely concerned” with over-regulation, 35% with trade conflicts and 34% with uncertain economic growth. Among those in the U.S., however, cyber threats got the top response, at 53%, followed by policy uncertainty and trade conflicts, both at 41%.
Reporting and Communication
The NACD results reflect a higher level of understanding of cyber threats and what is required to confront them. Three-fourths of directors praised management for giving them better cyber risk information than was the case two years ago. Only 1% said the quality had deteriorated.
While 34% felt that a cybersecurity-savvy director had to be recruited, 73% said that sufficient time was spent on cybersecurity in board meetings.
Still, 60% saw room for improvement in cybersecurity, second only to the 63% mentioning oversight of strategic execution.
Perhaps as an indication of their growing comfort with cyber risks, 61% of directors said they would be willing to compromise on cybersecurity to achieve business objectives. Twenty-eight percent prioritized cybersecurity above all else.
“Public companies must confront the growing friction between the need to digitally innovate and the effective management of cyber risks,” NACD said. And the rapid pace of technology change amplifies threats to existing business models as well as information security.
Two-thirds, or 66%, said they assessed employee cybersecurity negligence or misconduct risk.
The NACD report recommended more concerted efforts to get independent risk data and insights: “Boards should seek new ways to leverage technology and analytics tools to increase transparency and reduce dependence on senior leaders.”
One independent voice to be heard on risk is internal auditing. Just 51% in the survey said they get auditors' input, compared with 91% that receive information on risk matters from their CEOs, 89% from chief financial officers and 71% from general counsels.
“The gap between what the board knows and what management knows” remains a challenge, as “boards require clear and timely risk information to draw the right conclusions and ask management the right questions,” the report said.
Sixty-six percent in the survey said strategy discussions addressed human capital risks. “Boards at large organizations are more likely to hear from a larger group of management representatives about human capital, possibly giving those directors a more holistic view of human capital risk,” the report pointed out.
The data also showed significant environmental, social and governance (ESG) oversight, with nearly 80% of public company boards engaging with these issues in a meaningful way. The majority were focused on defining the link between ESG and strategy and risk.
Third-party compliance risk exposure, complicated by outsourcing and extended supply chains, is a growing concern, though only 51% of boards monitor it.
Jeffrey Kutler of GARP edited this article and contributed additional reporting.