A Research Report from DHR Global — Second in the Series on CISOs in the Boardroom.
The Securities and Exchange Commission (SEC) will soon announce details regarding new levels of boardroom cyber accountability, including:
- How boards of directors for public companies should track and report cybersecurity risks and incidents.
- The effects of these incidents on their businesses and bottom lines.
- The processes they put in place to resolve breaches and remain resilient.
- Annual reporting about board cybersecurity expertise, if any.
- Investors’ notifications about preparedness against evolving threats and material incidents.
The SEC’s new amendment will go beyond the National Association of Corporate Directors (NACD) guidelines, which generally reference the need for cyber threat discussions; the legal implications of incidents; having access to independent experts; understanding expectations of management and the board; and how to manage risk in a world where total cybersecurity is unrealistic. Similarly, for some years, boards have referred to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This voluntary and customizable approach has five concurrent stages to respond to cybersecurity risks: identify, protect, detect, respond and recover. The framework serves as a best practice guide for raising awareness about cybersecurity and the importance of effective communications for internal and external stakeholders.
The SEC’s approach is anticipated to be in stark contrast to these earlier efforts. As the SEC discussed in its initial announcement in March 2022, the commission plans to help boards enhance and standardize disclosures about how their companies prepare for, mitigate and manage risk; identify who has the expertise to manage cybersecurity risks and lead cybersecurity efforts; and determine how cybersecurity efforts affect the business health and financial success of these public companies.
DHR Global, an executive search and leadership consulting firm, has seen an uptick in the requirement for cybersecurity specialists to join boards, even before the SEC reveals details about the new rules. DHR conducted proprietary research into how America’s top 500 public company boards of directors are managing cybersecurity threats. DHR will expand this benchmark report next year and will publish it annually along with chief information security officer (CISO) skills sourcing recommendations and anecdotal accounts of cybersecurity best practices that DHR Global clients are incorporating globally.
The data below are from DHR Global’s first-year research findings and form the second article in its series, “CISOs in the Boardroom,” following the October 2022 publication of “It’s Happening Again – Massive Change Expected to America’s Boards of Directors, 20 Years After Sarbanes-Oxley.”
Our findings were startling and all over the map, indicating a need for SEC cybersecurity standardization and oversight:
- Only 1.4% (seven out of 500 companies) have a current or former CISO on their boards.
- Only one-quarter (23%) of the companies have a current or former chief information officer (CIO) on their boards.
- The vast majority (65%) have assigned their audit committees to take on the added responsibility of directing and reporting on cybersecurity.
- Approximately half (48%) have disclosed that their board members have cybersecurity skills, although 7% of those didn’t identify where these skills reside.
- One-quarter (24%) are assigning cyber oversight to their full boards.
- Only 10 out of 500 companies, or 2%, have created cybersecurity committees.
- Only 11 out of 500 companies have assigned their risk committees to oversee cybersecurity.
“These findings are in line with what I’m hearing from companies that are looking for individuals who have recent cyber experience, which they describe as within the last two years,” said Kathryn Ullrich, Managing Partner in DHR’s tech-focused Silicon Valley office and a member of the Technology and Diversity Practices. “Some companies have cyber experience without CISOs and would get credit for meeting the expected SEC guidelines. An overwhelming majority of the inquiries, however, are from boards that don’t have any functional technical experience – even in the form of CIOs – and are suffering as a result.”
“Where entire boards have cyber oversight, it’s a nightmare as directors struggle to learn the evolving cyber landscape and NACD or NIST policies, as well as recommended board practices, all while worrying about external breaches,” she added.
Heather Smith, partner in the Board & CEO Practice at DHR echoed Ullrich’s sentiments. “We believe most public companies of all sizes are ill-prepared for upcoming SEC regulations on cybersecurity and risk assessment,” Smith said. “It’s obvious that a sea change is underway at the board level. As a result of the SEC identifying the need and issuing new guidance, we’ve already had a number of boards looking to hire CISO board directors who understand the latest vulnerabilities and best strategies on cyber risk.”
DHR Global identified the top 500 U.S. public companies by revenue; researched their 10-K and annual proxy statements filed with the SEC for board composition; listed board directors with prior CISO or CIO experiences and directors who were disclosed to have cybersecurity expertise; and quantified the most prominent professional experiences of those cyber experts on the board. All data collected are based on publicly available information and have been aggregated.
In September 2022, DHR Global researched the top 500 U.S. public companies by revenue and their board members to learn how they’re assigning responsibility for cybersecurity and disclosing cyber expertise, since this is expected to be a key focus of the new SEC rules. The research focused on the largest public companies because of the readily available information and because these companies should be leading the way in demonstrating and disclosing cyber expertise on their boards.
DHR Global wanted to know if any existing or newly formed committees were being assigned to oversee cybersecurity and which directors had cyber expertise, either because these individuals’ profiles had been disclosed or it was likely, given their previous career experience.
Specifically, DHR Global wanted to know whether the boards had CISO and/or CIO board members since these executives would likely have the most technical insights on current cyber risks that companies face.
Top 500 U.S. Public Companies in Study
Our research targets the top 500 U.S. companies ranked by revenue. Half of the companies in our research scope reported their latest revenues between $6 billion and $15 billion, while the top nine companies reported revenue of more than $200 billion. The mean and median are $18.2 billion and $14.3 billion, respectively.
Among the industries these companies represent include:
- Financial services
- Health care
- Information technology (IT)
- Real estate
Each sector faces cybersecurity threats related to having massive stores of data, hybrid campuses and outdated technology; new Internet of Things devices; a lack of system integration; inefficiencies in identity and access management; data breaches from ransomware, phishing and web vulnerabilities; and denial of service attacks.
Most companies in our study are transforming their operations, networks and services to improve cybersecurity controls and agility for their businesses as well as customer experience.
Among our other findings:
- Most face continuing global supply chain issues.
- Most have moved or are moving to the cloud.
- After moving to the cloud, all are experiencing more cyberattacks than ever before.
- 29% of CEOs and 40% of chief security officers admit their organizations are unprepared for a rapidly changing threat landscape, according to Thought Lab’s 2022 cybersecurity study.
While the scope for this research study focused on the 500 largest U.S. public companies, DHR Global clients of all sizes – private and public – and worldwide have inquired about the best approach for addressing their boards’ cybersecurity risk responsibilities.
Boards’ Disclosure of Cyber Expertise
The good news is that 48% of the top 500 U.S. public companies disclose in their annual reports that they have cyber expertise, including 41% of the companies that identify the specific committee or individuals with this expertise, while 7% didn’t specify the expertise.
Eight percent of the companies didn’t disclose their boards’ cyber skills; however, they have at least one current or prior CISO or CIO on their boards, so they’re very likely to be cyber-savvy.
The remaining companies (44%) don’t have cyber experts on their boards or chose not to disclose this information. Neither of these scenarios would meet the SEC cybersecurity rules, unless the companies would hire an independent cyber consultant.
Committee Cyber Oversight
In annual report disclosures, an audit committee predominantly takes responsibility for cyber risk in most companies. In one-quarter (121) of the companies, the full board – sometimes with another committee – is responsible for the oversight of cyber risk.
It’s noteworthy that 10 companies made the bold move to establish committees exclusively for cybersecurity, demonstrating their concern and control for managing the risk appropriately. This is a trend DHR will continue watching, as we expect other companies to follow to better manage cyber risk.
Note: The numbers add up to more than 500 because of multiple committee assignments.
Cyber Experts on the Board
In the research, 238 companies disclosed the personal profiles of 443 individuals who brought cyber expertise to the boardroom.
A significant proportion of the cyber experts (58%) had prominent roles in the C-suite, including CEO, chief operating officer, chief financial officer and other executive positions. Another group of 77 individuals (17%) held senior executive titles such as executive vice president, senior vice president, vice president, and general counsel.
Another 45 individuals (10%) were active on various boards as professional board members; however, most had not held an executive role in the last decade.
Other professionals gained cyber expertise from their previous careers in the military (7%), government (5%) and academia (less than 3%).
Boards with CISO or CIO
We further investigated the number of CIOs and CISOs who are on boards now because of the technical nature and rapid rate of evolution for cyber risk. In conversations with board members, we learned about some who are considered to be cyber experts because they were technology industry executives – albeit not from technical fields. We also learned about audit committee members who don’t have technical expertise and 100-page audit committee reports that had a single page devoted to cyber risk. These board members are scrambling to learn cybersecurity and cyber risk because they’re perceived as the most “technical” board members. The problem is that they don’t have cyber expertise.
It’s surprising that only seven out of the top 500 U.S. public companies have a board member who is a current CISO or previously held this title. One-quarter of the pool includes at least one current or prior CIO as part of the board team.
Since CISOs and CIOs have comprehensive skills in cybersecurity and information technology security, we anticipate more companies will add at least one of those roles to their boards.
The 500 largest U.S. public companies should be leading the way in demonstrating cyber expertise on their boards, yet our research shows that even these companies may not have the required expertise to address increasing risks from cybersecurity threats.
In the absence of federal oversight, companies have been left to figure out how to respond to cyber-related risks. This has resulted in a crazy patchwork of approaches and a broad range of people who have various job titles and expertise and are expected to lead the oversight of cybersecurity risk. These issues will only be compounded for smaller and mid-cap public companies that have similar resources and face cyberattacks.
We’ve also seen companies that don’t focus fully on cybersecurity.
As the Nov. 11, 2022, Harvard Business Review article, “Is Your Board Prepared for New Cybersecurity Regulations?” noted: “Most organizations … focus on cyber protection rather than cyber resilience. … Resiliency is more than just protection; it’s a plan for recovery and business continuation. Being resilient means you’ve done as much as you can to protect and detect a cyber incident and you’ve also done as much as you can to make sure you can continue to operate when an incident occurs. … The ultimate goal of a cyber-resilient organization would be zero disruption from a cyber breach.”
At DHR Global, we suggest that boards consider the depth of their members’ cybersecurity knowledge to effectively manage risk from cyberattacks. A few of our clients have seen firsthand that when boards appoint a CISO or CIO board director who has recent, relevant industry expertise and create a cybersecurity committee to manage risk, they improve their companies’ security and resiliency.
Meet the Authors
Kathryn is a Managing Partner in DHR’s tech-focused Silicon Valley office, and a member of the Technology, Professional Services, Private Equity and Diversity Practices.
As a member of the Board & CEO Practice at DHR, Heather works with clients to successfully place C-level executives, chairmen, CEOs and board directors. She is based in Chicago.