Cyber oversight

Findings

Respondents, primarily corporate secretaries, in-house counsel, and other in-house governance professionals, represent public companies (89%) and private companies (11%) of varying sizes and industries.¹ The findings reflected in the bar charts pertain to all companies, public and private. Where applicable, commentary has been included to highlight differences among respondent demographics. The actual number of responses for each question is provided.

Download complete findings as well as results by respondent demographic in boxes above.

Select any statements that reflect your board’s current composition as it pertains to cyber experience. Select all that apply. (130 responses)

About 70% of large-, mid-cap, and private companies report having one or more board members with cyber experience. About 57% of small-caps said one or more board members have cyber experience.

Among public companies, 11% said cyber experience is a top recruitment priority in the next one to two years, whereas no private companies reported this as a recruitment priority.

Describe the frequency of cyber and cyber risk on full board meeting agendas (vs. those addressed at the committee level). (126 responses)

Cyber is on the agenda annually for 40% of large-cap and 52% of mid-cap companies. The remainder of responses for these market caps was spread across quarterly, biannually, and other. For small-caps, the most common responses, both at 36%, were quarterly and other. Nearly 77% of private companies said that cyber and cyber risk is on the full board meeting agenda annually.

What resources does the board/committees that oversee cyber use to stay current on the cyber risk environment? Select all that apply. (123 responses)

Management expertise was cited as the most common resource the board uses to stay current on cyber risk, as reported by more than 90% of large- and small-cap companies and 85% of mid-cap and private companies.

More than half of large- and mid-cap companies and private companies and nearly 70% of small-cap companies reported the use of outside/external advisers and relevant briefings and publications provided by management.

About 50% of public companies cited cyber expertise on the board compared with 31% of private companies.

Among all market caps and private companies, more than 36% reported board in-person or online education as a resource.

End notes

¹ Public company respondent market capitalization as of December 2020: 40% large-cap (which includes mega- and large-cap) (> $10 billion); 47% mid-cap ($2 billion to $10 billion); and 13% small-cap (includes small-, micro-, and nano-cap) (<$2 billion). Private company respondent annual revenue as of December 2020: 50% large (> $1 billion); 25% medium ($250 million to $1 billion); and 19% small (<$250 million). Respondent industry breakdown: 25% consumer; 34% energy, resources, and i ndustrials; 22% financial services; 10% life sciences and health care; and 9% technology, media, and telecommunications.