How Investment Stewardship Of Digital, Cybersecurity and Systemic Risk Governance Drives Alpha

The role of corporate governance has never been a more vital control in securely delivering on the potential of the digital future. As the economic outputs and risks from digital business systems increase and expand, boardroom effectiveness is vital to how companies use and protect the digital business systems delivering their future.

As fiduciaries, asset managers such as Blackrock, Vanguard, State Street and others deploy investment stewardship programs that share the common objective of promoting and strengthening boardroom effectiveness to safe-guard assets and enable investment returns for the companies they invest in on behalf of their clients. Those programs are an underleveraged source of value creation and protection in the digital economy.

Vanguard states their stewardship responsibilities as “…a clear mandate to safeguard and promote long-term investment returns at the companies in which our funds invest.”

State Street puts it succinctly when they say “We believe our portfolio companies must have effective oversight and governance of opportunities and risks that are material to their businesses and that they should disclose how they are overseeing such risks and opportunities to investors.”

With the practice and profession of digital, cybersecurity and systemic risk governance starting to develop, evidence from the early adopters of leading policies and practices in digital governance demonstrates that boardroom effectiveness on these issues is creating superior returns for investors and reducing risk.

This article provides investment stewardship programs with a blueprint for understanding and promoting the drivers of boardroom effectiveness in digital, cybersecurity and systemic risk oversight.

Corporate governance is a control in the complex digital business systems that power companies. Evidence supports the reality that high performing systems of digital governance create business value and protect business value more effectively. Far too frequently however, the boardroom is a non-existent or under-performing control in the digital business system.

Four key governance principals have been shown to drive boardroom effectiveness in digital, cybersecurity and systemic risk oversight:

Principal #1: Boardroom effectiveness and the policies and practices that create a high-performing system of digital governance are recognized as critical controls that strengthen all other controls in how the digital business system securely creates value for the business and investors.

Principal #2: Board composition, director capabilities and related disclosures reflect the breadth and depth of director digital and cybersecurity expertise needed to oversee the entire digital business system.

Principal #3: The board is organized effectively and transparently to deploy digital director expertise against the full breadth of digital risks facing the company.

Principal #4: The board’s scope of risk oversight is comprehensive, disclosed and covers all aspects of relevant digital risks including opportunity, cybersecurity and systemic risk.

Boardroom effectiveness on these issues revolves around the system of governance that deploys the right director skills in a structured way against a comprehensive scope of risk understanding, i.e., system, skills, structure and scope.  A growing body of evidence including research from MIT and Virginia Tech shows that effective digital, cybersecurity and systemic risk oversight drives superior returns in business value creation and risk mitigation — providing direct benefits to investors who bear the costs of digital underperformance and cybersecurity failure.

MIT has concluded that when corporate boards have directors with the breadth and depth of digital expertise needed to oversee the entire digital business system, significantly more financial value is created by the company. Financial and investor impacts identified by the MIT research included:

• 34% higher market capitalization over a 3-year period
• 38% higher revenue growth over a 3-year period
• 17% higher profitability over a 3-year period

These results were identified when there was a critical mass of three digitally savvy directors in the boardroom with true digital expertise and competencies. Director expertise extends across any and all of the relevant domains of a complex digital business system and reflects true applied experience in these areas, e.g., data, information architecture, risk communications, emerging technology, cybersecurity, third-party risk, IT operations and regulation.

A board that can actively engage with management through director expertise on these issues is a key driver of boardroom effectiveness in digital, cybersecurity and systemic risk governance.

In a notable first regulatory development anywhere in the world, the European Central Bank (ECB) now requires that the banks it oversees have directors with information, communications and technology expertise and information security expertise on their boards. With a goal of creating financial system resiliency for the Citizens of the EU, this commonsense regulation recognizes the importance of director expertise in safeguarding all stakeholder interests.

The European Central Bank’s (ECB) mission is to keep the banking system safe in Europe and it currently oversees 113 banks across the EU. With an emphasis on true expertise overseeing digital business systems, as opposed to generalist director competencies in risk management, they recommend at least one non-executive director with:

“…relevant and recent knowledge of, and expertise in, ICT and security risks (experience has shown that five years of relevant practical experience is an adequate threshold to ensure good management and decision making at board level).”

As every investment stewardship program acknowledges, boardroom effectiveness is an important contributor to investment returns. As a leadership control, the strength or weakness of the boardroom can positively or negatively amplify the effectiveness of the entire digital business system and how it enables and protects business value.

Unfortunately, investors sustain the bulk of the financial impacts when boardrooms fail in their oversight responsibilities of the digital business systems that power their companies. UnitedHealth Group (NYSE: UNH) and their ransomware incident has been described as the largest cybersecurity incident in American history. UNH has projected that their 2024 financial impacts will almost reach US $2.5 billion — real costs and assets unnecessarily expended that could have been deployed elsewhere. Beyond the economic implications, a wide range of impacts occurred including the widespread impairment of patient care levels. As stewards of capital, this represents a failure of the boardroom leadership system that was preventable.

These negative impacts were because of the boardroom leadership failures of UNH as called out by U.S. Senator Ron Wyden during congressional testimony of the UNH CEO, Andrew Witty. Senator Wyden declared that the UNH board was responsible for this failure when he identified that there was a lack of any director cybersecurity expertise on the UNH board.

Contrast the ECB requirement with the U.S. Securities and Exchange Commission who removed the proposed director cybersecurity expert disclosure requirement from their final cybersecurity disclosure rules issued in 2023 for U.S. public company boards. Notably, there was a large group of organizations who advocated against the commonsense disclosure of director cybersecurity expertise with the SEC through their comment letters. These groups included corporate governance associations the National Association of Corporate Directors (NACD), the Society of Corporate Governance along with the American Bar Association, Microsoft, the NYSE, the U.S. Chamber of Commerce and a large group of  industry associations.

Hackers have a vested interest in keeping boardroom leadership weak in cybersecurity. While the motivations of these organizations are their own for this disclosure position, it comes at the expense of investors. Notably, the investor community was in favor of the proposed SEC rule for director cybersecurity expertise.

Commenting on the proposed rules, Calpers, the largest public defined benefit pension fund in the U.S., said:

Beginning with the Cybersecurity Disclosure Act of 2017 (S. 536 by Senator Jack Reed (D-RI)), we have consistently supported legislative efforts to require publicly traded companies to disclose in their annual reports or annual proxy statements, whether any member of their governing body, such as a board of directors, has expertise or experience in cybersecurity issues.[1]

The Council of Institutional Investors (CII), a nonprofit association of U.S. public, corporate and union employee benefit funds, said in their SEC comment letter:

We are pleased to see that the Proposed Rules address the role of the board in cybersecurity risk management and strategy in a thorough manner, including disclosure of whether any board member has expertise or experience in cybersecurity. We believe that annual disclosure of cyber expertise among board members, if any, in the annual report and proxy would be helpful to investors, especially in voting decisions.

The world’s leader on responsible investment, PRI (Principles for Responsible Investment), said in their SEC comment letter:

The PRI welcomes mandatory disclosure of board expertise on cybersecurity. In general, the PRI believes that enhanced expertise at the board level on sustainability matters is crucial to companies’ sustainability efforts. Board cybersecurity expertise serves as a useful starting point for investors to assess a company’s approach to cybersecurity, which is one part of sustainable operations.

In addition, several cybersecurity industry associations with the deep knowledge of these technologies and their risks also supported director cybersecurity expertise disclosure including DDN, ISC2 and the SANS Institute. The American Institute of Certified Public Accountants (AICPA), the largest association of accountants in the U.S. also support director cybersecurity expertise disclosure, saying:

The AICPA agrees that investors and other stakeholders may benefit from disclosures related to board members’ cybersecurity expertise. Understanding such matters enables investors to consider the importance a registrant places in effectively managing its cybersecurity risks.

Virginia Tech conducted research as a part of their response to the SEC’s proposed director cybersecurity expertise disclosure rules. Based upon the actual experiences of those they interviewed, they presented the following evidence for the risk reduction benefits of director cybersecurity expertise on corporate boards as a driver of boardroom effectiveness:

• The overall consensus was that director cybersecurity expertise enables directors to provide proactive, value-added oversight of cybersecurity risk that wouldn’t be possible without it.
• Lack of expertise leads to superficial, check-the-box oversight. For example, board members may simply not give adequate attention to cybersecurity, since directors naturally focus on things they know best. They may ask the CISO naive or off-the-shelf questions that don’t cut to the heart of the company’s cybersecurity risks.
• When answers are provided [by the CISO], directors may not understand them, or be able to detect rosy framing or ask follow-up questions to probe if the CISO or their program needs a shift in direction.
• Benefits of directors with cybersecurity expertise include that they “can talk with the CISO to fully understand issues and challenge the CISO’s cybersecurity programs when needed”. They can also be a tremendous asset to the CISO by acting as a go-between with the board and by lending political capital to the CISO’s requests to the C-suite for resources and needed organizational changes.
• True expertise — such as that gained through direct, hands-on experience managing cybersecurity — provides the most benefits. However, even modest investments in a board’s expertise, such as cybersecurity training, can pay substantial dividends.

The quality and effectiveness of corporate governance is significantly impacted by the skills, capabilities and expertise of the directors on the board. Investment stewardship engagements should focus on understanding the levels of director expertise in digital, cybersecurity and systemic risk to identify whether the board can function as a control that positively contributes to boardroom effectiveness.

Investment Stewardship Engagement: Effective investment stewardship should reflect an understanding of the depth and breadth of director expertise across all domains of a complex digital system including cybersecurity expertise. Investment returns and boardroom effectiveness in digital, cybersecurity and systemic risk oversight is directly correlated to the depth and breadth of director expertise in complex digital business systems. This presence, or lack thereof of digital director expertise should be reflected in investment analysis, investment ownership policies and practices and in assessing disclosure effectiveness.

Expertise is defined as applied experience in IT or cybersecurity — not a casual or general awareness of the issues. This is a similar definition to what the SEC expected when financial expertise disclosure was mandated for America’s public company boards in 2002.

The CrowdStrike (NASDAQ: CRWD) cyber incident, which was a cybersecurity incident that was not triggered by a malicious attack, reflects the systemic cyber risks inherent in the inter-connected digital economy. This failure created significant economic losses estimated by Fortune to exceed US$ 5.4 billion. It also triggered a 40% share price decline in CRWD stock within weeks of the incident. CrowdStrike’s audit committee has responsibility for cybersecurity oversight, a frequently cited bad practice in organizing corporate board resources and responsibility for cybersecurity governance.

How corporate boards organize themselves on any issue is a determinant of boardroom effectiveness over that issue. Leading practice boards in digital, cybersecurity and systemic risk governance are moving cybersecurity out from the audit committee into more focused committees, often institutionalizing digital innovation oversight alongside cybersecurity risk in the same board committee. FedEx took this step over twenty years ago when they first established a Cyber and Technology Oversight committee on their board.

Research from Harvard indicates that board committees are powerful forces of board effectiveness by creating:

• Accountability to internal and external stakeholders such as investors on the committees’ issues.
• Creating task efficiency within the committee providing an environment where issues can be discussed in greater depth and breadth.
• Establishing knowledge specialization within the committee where director expertise is aligned to the issues and engagement with management is more meaningful.

While the SEC did not include director cybersecurity expertise disclosure in their final cybersecurity disclosure rules, they did include board committee disclosure for cybersecurity. This at least creates transparency for how the board is organized to oversee cybersecurity, an issue institutional investors should also pay attention to in assessing boardroom effectiveness.

While committee disclosure of cybersecurity oversight is useful, oversight of digital innovation is frequently not within any one committee which defaults it to the whims of the full board agenda.  Given the proven benefits of boardroom effectiveness in governing digital innovation as identified in the MIT research, digital innovation oversight should not be an afterthought as it is critical in driving investor returns — the FedEx model is a useful leading practice.

Investment Stewardship Engagement: Stewardship engagements should identify where cybersecurity oversight responsibility resides within the boardroom and whether the scope of oversight is well articulated as it would typically be when there is a cybersecurity committee in place. A committee’s charter is an accountability declaration that also provides transparency for investors. Investment stewardship engagements should also inquire of the board’s approach for actively governing digital innovation as a requirement for assessing boardroom effectiveness. An ad-hoc approach to digital innovation governance left to the full board, is less likely to create the returns identified by the MIT research.

Recent surveys of FTSE 350 company secretaries in the U.K. and C-suite executives by PwC in the U.S. shows cyber risk as the top current business risk reflecting more concern from executives than other risks such as geo-political insecurity, climate, social instability and macroeconomic uncertainty.

But many boardrooms remain the weak link in their company’s digital business system.  The four key principles of investment stewardship engagement that determine boardroom effectiveness on these issues should strive to understand the system of governance the board has in place for digital, cybersecurity and systemic risk governance. This system should be comprised of director digital and cybersecurity expertise, the board’s organizing model should be efficient, effective and targeted and the scope of risk oversight needs to be comprehensive across the entire digital innovation, cybersecurity and systemic risk oversight agenda.

With so much at stake for investors, investment stewardship has an important role to play in advancing boardroom effectiveness through policies and practices that have proven to drive investor returns and protect investor assets — creating both short-term and long-term opportunities to drive Alpha with the right attention and focus on digital governance.

The DOMINO Guide 2025 Edition: The Definitive Boardroom Guide On Digital, Cybersecurity and Systemic Risk Governance includes more details on leading governance policies and procedures in these areas.