A new report from a Stamford group has found that corporate board members are growing increasingly concerned about cybersecurity – specifically how they feel poorly equipped to deal with the ever-increasing pace of technology and business disruption.
According to the 15th annual “What Directors Think” survey by Corporate Board Member, a division of Stamford-based business leader networking and conference company Chief Executive Group LLC, nearly 60.5 percent of its 200-plus respondents – all directors at publicly traded U.S. companies – cited cybersecurity as the topic they’d most like to bring in a panel of experts to their boardroom to discuss – easily eclipsing disruptive innovations (39.5 percent) and succession planning (20 percent).
“Cybersecurity being at or near the top of the survey has been somewhat consistent over the past few years,” said Melanie C. Nolen, research editor, Corporate Board Member, who directs the annual survey. “But this year it’s taken center stage and is way ahead of all the other issues.”
Nearly two-thirds (63 percent) of directors surveyed said their board has at least one member with the technical skills to engage in a meaningful discussion with senior information security executives on matters of a highly technical nature. However, a similar proportion (67 percent) reported having had to bring in subject-matter experts to help solve complex cyber issues. Twenty percent of those who had not yet done so at the time of the survey said they were considering doing it in the near future.
Corporate Board Member’s feeling is that the high-profile cybersecurity breaches over the past several months have played a significant role in the increased apprehension. Nolen pointed at consumer credit reporting agency Equifax, which last September announced that cybercriminals had accessed some 145.5 million of its American consumers’ personal data; the U.S. Securities & Exchange Commission, which just two weeks later announced that in 2016 hackers had breached its cache of files on publicly traded companies; and Uber, which last November revealed that during the previous year a data breach had disclosed personal information on about 600,000 drivers and 57 million customers.
Directors’ concerns are well placed – and not just because of the potential damage to their companies, Nolen said. “There’s more and more talk about how directors could be held liable for such breaches.”
A November 2017 Fordham Journal of Corporate & Finance Law article noted that since directors owe their corporation and shareholders a duty of care and oversight, and publicly traded corporations have a duty to disclose relevant information across a range of subjects, “a failure to disclose a data breach can result in liability under regulatory and common law.”
However, it added, “Equifax did not actively mislead anyone; thus, its level of intent is an unlikely basis for criminal prosecution. Negligence is only a basis for corporate criminal prosecution in food, drug and environmental cases.” The article further noted that circuit courts have been split on questions of civil liability claims in such instances.
Nolen noted that Equifax and the other cases have also played a part in directors’ opinions about the potential effectiveness of additional government regulation. In the 2017 “What Directors Think” survey, 78 percent of respondents said they felt additional regulation would have little effect in curbing cyberattacks and would overburden companies and their boards. This year, 20 percent said that those high-profile breaches had convinced them to change their stance in favor of more cyber regulation, bringing the figure up to 60 percent.
Nevertheless, devoting more company resources to the issue remains anathema to most directors. Eighty-two percent of directors said they did not see the need for distinct cyber risk committees, in line with last year’s findings. Instead, many feel it should fall under the auspices of their existing audit committees.
“At many companies, the audit committee has been overburdened for some time now,” Nolen wrote in the report. “With an increasing number of issues falling within the audit committee’s purview, perhaps the solution lies in shifting risk oversight out of its scope of responsibility, as proposed by one of our respondents, either by creating a pure risk committee, making risk a full-board responsibility or periodically rotating committee chairs and members.”
“I think we’ll start seeing a shift there,” Nolen said. “Cybersecurity is a topic that is being deeply felt throughout organizations – it’s not something that you can sit on the sidelines about. Everyone understands it now, to varying degrees.”
Realizing that cybersecurity is an enterprise issue that deserves more specific attention is the next step for many companies, she said.