Cyber oversight has been saved
Board Practices Quarterly, May 2021
By Natalie Cooper, Bob Lamm, and Randi Val Morrison
In September 2020, Deloitte and the Society for Corporate Governance announced the collaborative launch of the Board Practices Quarterly, a new series of periodic reports based upon brief surveys of Society members. The Quarterly replaces our long-standing Board Practices Report to bring you insights and benchmarking data more frequently.
With breaches continuing to dominate the headlines, cyber-security and cyber risk remain among the top areas of investor, regulator, consumer, and other stakeholder focus, with growing pressure for businesses of all types and sizes to articulate how they are actively managing and mitigating the risks. Boards are expected to be well-informed about their company’s cyber posture and to demonstrate effective oversight. These pressures and expectations have multiplied with new challenges prompted or accelerated by the COVID-19 pandemic, such as remote work, increased use of personal devices, use of new technologies that may lack security protections, budget and resource constraints, and expanded scope cyberattacks that have flourished in the changed environment.
This issue of the Board Practices Quarterly presents findings from a March 2021 survey of in-house members of the Society for Corporate Governance about how their companies’ boards oversee cybersecurity and cyber risk—including matters relating to board composition and structure, management’s reporting to the board, board information sources, and shareholder engagement—as well as voluntary corporate disclosure practices.
Respondents, primarily corporate secretaries, in-house counsel, and other in-house governance professionals, represent public companies (89%) and private companies (11%) of varying sizes and industries.1 The findings reflected in the bar charts pertain to all companies, public and private. Where applicable, commentary has been included to highlight differences among respondent demographics. The actual number of responses for each question is provided.
Download complete findings as well as results by respondent demographic in boxes above.
Select any statements that reflect your board’s current composition as it pertains to cyber experience. Select all that apply. (130 responses)
About 70% of large-, mid-cap, and private companies report having one or more board members with cyber experience. About 57% of small-caps said one or more board members have cyber experience.
Among public companies, 11% said cyber experience is a top recruitment priority in the next one to two years, whereas no private companies reported this as a recruitment priority.
Describe the frequency of cyber and cyber risk on full board meeting agendas (vs. those addressed at the committee level). (126 responses)
Cyber is on the agenda annually for 40% of large-cap and 52% of mid-cap companies. The remainder of responses for these market caps was spread across quarterly, biannually, and other. For small-caps, the most common responses, both at 36%, were quarterly and other. Nearly 77% of private companies said that cyber and cyber risk is on the full board meeting agenda annually.
What resources does the board/committees that oversee cyber use to stay current on the cyber risk environment? Select all that apply. (123 responses)
Management expertise was cited as the most common resource the board uses to stay current on cyber risk, as reported by more than 90% of large- and small-cap companies and 85% of mid-cap and private companies.
More than half of large- and mid-cap companies and private companies and nearly 70% of small-cap companies reported the use of outside/external advisers and relevant briefings and publications provided by management.
About 50% of public companies cited cyber expertise on the board compared with 31% of private companies.
Among all market caps and private companies, more than 36% reported board in-person or online education as a resource.
1 Public company respondent market capitalization as of December 2020: 40% large-cap (which includes mega- and large-cap) (> $10 billion); 47% mid-cap ($2 billion to $10 billion); and 13% small-cap (includes small-, micro-, and nano-cap) (<$2 billion). Private company respondent annual revenue as of December 2020: 50% large (> $1 billion); 25% medium ($250 million to $1 billion); and 19% small (<$250 million). Respondent industry breakdown: 25% consumer; 34% energy, resources, and i ndustrials; 22% financial services; 10% life sciences and health care; and 9% technology, media, and telecommunications.