Report endorsed by industry leaders indicates need for boards of directors to improve competency and literacy around cyber risk
SAN FRANCISCO, Sept. 21, 2023 /PRNewswire/ -- Cybersecurity has increasingly become a topic of conversation at the executive and board of directors level, yet a new joint report from NightDragon and Diligent, endorsed by the New York Stock Exchange, Glass Lewis, ISC2, Spencer Stuart, and Moody's, found that the vast majority of the nation's largest and most influential companies on the S&P 500 face a potential experience gap when it comes to mitigating rising cyber risk, highlighting the need for further education as threats continue to rise.
In the "State of Cyber Awareness in the Board Room Report," NightDragon and Diligent conducted a thorough review of the members of the boards of directors of the S&P 500, an index of the largest companies listed on stock exchanges in the United States.
The study found that 57% of companies in the S&P 500 lack specialized experience in non-cyber technology categories and 88% do not currently have an executive with specialized cybersecurity experience on their board to guide them on risk mitigation efforts. While having an expert on the board is not the only metric of board education, it signifies a continued gap in education and expertise at the highest levels of many of the nation's largest organizations.
These findings come as cyberattacks continue to rise in both severity and frequency around the world, targeting healthcare, critical infrastructure, educational institutions, governments, and more. Over 422.14 million individuals were affected by cyberattacks in 2022 in the United States alone, with each attack on a business costing an estimated $4.45 million on average per incident. The culmination is estimated global losses of around $10.5 trillion by 2025. As a result, cybersecurity is increasingly becoming a discussion at the board of directors' level and part of the overall company compliance and risk strategy. The study notes that a growing number of corporations are taking action to educate their boards more proactively and have security teams reporting regularly to the board.
"As cyberattacks continue to rise and cause significant impacts to organizations in every industry, it has never been more important for our nation's organizations to incorporate cybersecurity awareness at every level of the organization. It is the responsibility of every S&P 500 organization – as well as every other business in the world - to make sure they are educating themselves and either adding or consulting cybersecurity experts, or risk leaving themselves vulnerable to attack," said Dave DeWalt, Founder and CEO at NightDragon and member of many boards.
Other key findings from the report include:
- Just 12% of S&P 500 companies have specialized cybersecurity expertise among their directors, such as a CISO, former CEO, or former Chief Information Officer (CIO) of a cyber company on their boards. Only seven had a current or former CISO on their boards.
- An additional 31% of S&P 500 companies have some level of technology expertise on their boards. These individuals might be informed on cybersecurity and technology issues but have less direct cybersecurity experience than those in the highest tier.
- The majority of organizations (52%) in the S&P 500 had directors with a more limited connection to the world of cybersecurity, such as a board member who serves as a director for an IT vendor or someone who may have experience in the industry in a role outside the C-Suite.
"The reality is that cybersecurity is a growing risk across all industries and businesses," said Brian Stafford, President and CEO of Diligent. "Boards of directors have a growing responsibility to build their competency around cyber risk so they can implement more effective governance strategies and have more meaningful conversations with management."
Supplemental Quotes
"Keeping our businesses secure in this increasingly complex cyber threat environment must start with a commitment at the CEO and board level to create and incentivize a strong culture of corporate cyber responsibility in which cyber risk is managed as a business risk and treated as a fundamental matter of good governance. This includes prioritizing education to ensure that Board members have a basic understanding of cybersecurity to enable informed decisions about effectively managing cyber risk," said Cybersecurity Infrastructure Security Agency (CISA) Director Jen Easterly in a statement.
"Cybersecurity expertise at the board level is not a luxury; it's a necessity. In a world where cyber risks infiltrate every corner of business, board directors must elevate their cyber literacy to levels equal to or beyond their financial acumen. It's imperative for national and economic security around the globe," said ISC2 CEO Clar Rosso, CC. "Ensuring board directors are aware of cyber risks, and cybersecurity experts can clearly articulate those risks, results in better business decisions that enhance organizations' security posture, empowers the cyber workforce and paves the way for a safe and secure future."
"As cyber threats continue to rise, it is more important than ever for boards of directors to increase their understanding and education around cybersecurity. By enabling themselves with this knowledge, directors can help best guide the organization to make strategic decisions to mitigate risk and better ensure the security and long-term success of the business for many years to come," said David Platt, SVP & Chief Strategy Officer for Moody's Corporation.
"Given the material negative impact in shareholder value from cyberattacks, board oversight of cybersecurity risk is becoming increasingly important across the governance landscape," said Cheryl Gustitus, Chief Strategy Officer at Glass Lewis. "With the new U.S. SEC cybersecurity rules going into effect in 2024, investors will likely look even more closely at companies' risk management, strategy, and governance practices on this critically important issue. Glass Lewis is pleased to be part of this new coalition and looks forward to helping both investors and board directors raise their awareness related to cybersecurity risk oversight."
"Boards are beginning to take action on how they can more effectively help their organizations manage cybersecurity risk. We are seeing boards more proactively educating themselves on cybersecurity, increasing engagement with technology and cybersecurity leaders, and seeking new directors with technical experience to strengthen their oversight capabilities. However, this will remain a gradual evolution, considering low boardroom turnover. Data from our U.S. Spencer Stuart Board Index supports NightDragon and Diligent's findings: few S&P 500 companies are adding true cyber/tech expertise to their boards. Only 4% of new S&P 500 directors in each of the past three years have true cyber experience," said Kate Hannon, member of Spencer Stuart's global Technology Officer Practice and head of the firm's Cybersecurity Practice.
Methodology
To determine the level of cyber acumen existing in corporate leadership, NightDragon and Diligent Institute - the corporate governance research arm of Diligent, a GRC SaaS company - reviewed the board and C-suite compositions of the S&P 500 companies and categorized them based on specific criteria, including previous roles and cyber experience.
A full in-depth methodology and tiering can be found in the full report here.
About NightDragon
NightDragon is an investment and advisory firm focused on growth and late-stage investments within the cybersecurity, safety, security and privacy industries. Its platform and vast industry network provide unparalleled threat insights, deal flow, market leverage and operating expertise to drive portfolio company growth and increase shareholder value. Founded by Dave DeWalt, the NightDragon team has more than 25 years of operational and market expertise leading technology companies such as Documentum, EMC, Siebel Systems (Oracle), McAfee, Mandiant, Avast and FireEye. Read more about NightDragon at www.nightdragon.com.
Media Contact:
Sarah Kuranda Vallone, VP Marketing
[email protected]
About Diligent
Diligent is a leading GRC SaaS company that gives organizations the tools and solutions they need to bring clarity to complex risk, elevate impactful insights and get ahead of a world that is constantly changing. With solutions across governance, risk, compliance, audit and ESG, Diligent empowers more than 1 million users and 700,000 board members and leaders to make better decisions, faster. No matter the challenge. Learn more at diligent.com.
Follow Diligent on LinkedIn, Twitter and Facebook.
About Diligent Institute
Diligent Institute informs, educates, and connects leaders to champion governance excellence. We meet this mission through original, cutting-edge research on critical corporate governance issues, certificate programs for corporate leaders, peer networks that convene directors and executives to share best practices, and recognition programs that celebrate governance excellence. Diligent Institute was founded in 2018 as Diligent's global corporate governance research arm and think tank. Learn more at diligentinstitute.com
Media Contact
Julia Hanbury
Senior Communications Manager, Diligent
+1 (604) 669-4225
[email protected]
SOURCE NightDragon
WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE.COM?
Newsrooms &
Influencers
Digital Media
Outlets
Journalists
Opted In
Share this article