Cybersecurity, audit, and the board: How does board oversight impact cybersecurity performance?

Posted by Edna Twumwaa Frimpong and Dottie Schindlinger, Diligent Institute, and Derek Vadala, Bitsight, on
Tuesday, April 16, 2024
Comment print this page Print
, , , , , ,
More from: , , , ,

Edna Twumwaa Frimpong is Director of International Research and Dottie Schindlinger is Executive Director at Diligent Institute; and Derek Vadala is Chief Risk Officer at Bitsight. This post is based on a recent report by Ms. Frimpong, Ms. Schindlinger, Mr. Vadala, Kira Ciccarelli, Jacob Olcott, and Jeff Barnett.

Introduction

The rapid escalation in the frequency and severity of cyber incidents has positioned cyber risk as one of the foremost challenges confronting boards.[1] With cyber threats becoming increasingly sophisticated and pervasive, boards are under mounting pressure to effectively address cybersecurity risks to safeguard their organizations’ interests. With projected financial losses from data breaches estimated to reach approximately USD 10.5 trillion by 2025, and new pressure from regulators like the SEC, the oversight role of the board becomes even more crucial.[2]

Boards are prioritizing robust oversight mechanisms to mitigate cyber risk and protect their organizations’ financial health and reputation in an ever-evolving digital world. However, the approaches boards take to address cyber risk vary, prompting questions about the effectiveness of different board governance structures and strategies.

Diligent Institute and Bitsight, recognizing the need for deeper insight into board practices regarding cybersecurity oversight and the impact they have on organizations, set out to better understand how boards are addressing cyber risks and the outcomes of these approaches. Through this report, we aim to shed light on several key questions:

  • Is there a relationship between cybersecurity performance and financial performance?
  • Do companies demonstrate better performance in cybersecurity when specialized committees are established for oversight, versus assigning cyber risk oversight to the audit committee?
  • Does audit committee oversight of cyber risk correlate with security performance?
  • Does the presence of cyber experts on boards correlate with security performance?
  • What else might we learn about cyber risk governance from companies that have high security performance ratings?

By addressing these questions, we aim to provide actionable insights that can inform best practices in corporate governance and enhance the structural oversight of cyber risk.

Methodology

Our analysis consists of publicly-available data on 4,149 mid to large-cap companies in public indices across Australia, Canada, France, Germany, Japan, the United Kingdom, and the United States. Leveraging board data sourced from Diligent Market Intelligence in late November 2023, we examined the board structures and director skillset backgrounds of these companies.

We then identified companies with specialized board committees dedicated to cyber, risk, or safety oversight. Throughout this report, we collectively referred to these committees as “specialized risk committees.”

We have also categorized cybersecurity oversight at the committee level into three groups to assess their potential impact on cybersecurity risk ratings:

  1. Companies with a specialized risk committee to oversee cybersecurity.
  2. Companies without a specialized risk committee, where we have made the assumption that the audit committee has been tasked with overseeing cybersecurity risk along with other areas of enterprise risk.
  3. Companies with neither an audit nor a specialized risk committee, where we have made the assumption risk is overseen at the full board level.

For the purposes of this report, we have classified directors as “cybersecurity experts” if they meet the following criteria:

  • They are current or former Chief Information Security Officers (CISOs), or
  • They are current or former CEOs, Chief Information Officers (CIOs) or Chief Technology Officers (CTOs) of a cybersecurity company.

We also have correlated each company’s cyber oversight structure with their corresponding security performance data, obtained from Bitsight. The correlation method involved averaging the ratings within each category to identify discernible patterns. Bitsight creates cybersecurity ratings based on externally observable measurements of an organization’s security posture. The data was pulled between December 2023 and February 2024 and the ratings range from 250 to 900 (in 10-point increments), grouped into three broad classifications:

  1. Basic Security Performance: A rating ranging from 250 to 630 comprising 12% of our sample.
  2. Intermediate Security Performance: A rating ranging from 640 to 730 comprising 47% of our sample.
  3. Advanced Security Performance: A rating ranging from 740 to 900 comprising 41% of our sample.

A more detailed breakdown of the factors that inform this rating can be found in the Appendix.

Key findings

Companies with advanced security ratings create nearly four times the amount of value for shareholders as companies with basic security ratings. On average, the Total Shareholders’ Return (TSR) over three and five years for companies in the advanced security performance range is approximately 372% and 91% higher, respectively, than their peers in the basic security performance range.
Companies with a specialized risk or audit committee had higher security performance ratings on average. Companies falling within these two categories have an average security rating of 710, whereas companies lacking both committees have an average security rating of 650. The findings also suggest that the distribution of security ratings among companies with specialized risk and audit committees tends to skew towards the advanced security performance range, whereas companies lacking either of these committees tend to skew towards the basic security performance range.
Having a cybersecurity expert on the board is not enough. Integrating a cybersecurity expert into the board committee tasked with cybersecurity risk oversight makes a significant difference in an organization’s performance. Merely having a cybersecurity expert on the board does not correlate to having a higher security performance rating. Companies with cybersecurity experts on either audit committees or specialized risk committees achieve an average security performance rating of 700, whereas companies with cybersecurity experts but not on either committee attain a security rating of 580. Regardless of this, the percentage of companies with cyber experts on the board remains significantly low. Only 5% of companies within the sample had cyber experts on their boards.
Highly regulated industries tend to outperform other industries in terms of cybersecurity performance. Of the companies with advanced-level security performance ratings, a full third (33%) came from the financial services sector – with an average rating of 720. The sector with the highest average rating overall though, was healthcare at 730. By comparison, nearly a quarter (24%) of companies with basic security performance ratings came from the industrials sector, and the sector with the lowest overall performance rating was the communications sector, at 630.

Endnotes

1Corporate Board Member, Diligent Institute, BDO, What Directors Think, January 2024.(go back)

2NightDragon, Diligent Institute, State of Cyber Awareness in the Boardroom, September 2023.(go back)

Trackbacks are closed, but you can post a comment.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>