Board members frequently struggle to understand cyber risks, putting businesses at higher risk of attacks, a new report from cybersecurity consultancy Savanti has found.
The authors said this vacuum in cybersecurity board governance also has significant business impacts, with evidence showing that enterprises that demonstrate effective cyber preparedness have significantly higher revenue growth, valuations and net margins.
This includes investors viewing cyber “as the canary in the coal mine for organizational health.”
Growing Recognition in the Boardroom
The Savanti report cited Check Point research published in January 2023, which found that global cyber-attacks increased by 38% in 2022 compared to 2021.
Savanti highlighted the range of business impacts of such attacks, which is putting cybersecurity firmly on the agenda of board members. For example, research from Harvard in November 2022 found that almost three-quarters of board directors rank cyber as a top priority.
These impacts include higher insurance premiums, business disruption, lower production, delays, reputational damage, intellectual property theft, litigation and regulatory actions.
Additionally, the authors noted that board interest is being piqued as a result of growing media reporting of cyber incidents, a heightened board focus on operational resilience post-pandemic, investor pressure and a tightening regulatory environment.
Lack of Cyber Awareness
However, board directors often lack the right level of cyber awareness, putting their businesses at higher risk of attack. One study by PwC in 2022 found that 59% of directors admitted their board is not very effective in understanding the drivers and impacts of cyber risks for their organization, while another by Russell Reynolds in the same year showed that a majority “only somewhat” understood their cybersecurity vulnerabilities.
The Savanti report highlighted that many boards struggle to challenge what they hear about cybersecurity from their organization’s CISO. This is due to factors such as fear of betraying their ignorance.
This issue is compounded by the fact that many CISOs struggle to communicate at board level, tending to focus on technical briefings ahead of strategic risk-based discussions, such as the financial exposure resulting from cyber risk.
Richard Brinson, CEO of Savanti, commented: “While there has undoubtedly been progress in recent years on board governance of cyber security, many boards struggle to dispense their responsibilities.
“We found many board members don’t understand their unique role on cybersecurity, lack the right level of cyber awareness and are scared to turn to their CISO to bridge this gap, for fear of exposing their lack of understanding.”
Achieving Effective Cybersecurity Board Governance
Brinson added that it is vital that cyber expertise is improved at the board level, particularly with the plethora of security regulations coming into force in the US, UK and Europe. This includes new rules from the US Securities and Exchange Commission (SEC) requiring publicly listed firms to disclose serious cyber incidents within four days.
Savanti set out five steps to ensure boards develop an effective cybersecurity governance strategy. These are:
- Understand your unique role as a board. This includes setting the risk appetite – acknowledging the risks they accept and ensuring they are ready to play their role during a cyber incident.
- Be appropriately informed about technology, data and cybersecurity. The report advocated boards recruiting at least one member with specific expert knowledge in cyber.
- Put cybersecurity on the board’s agenda. Cybersecurity should be regularly discussed during board meetings, according to the report.
- Board and executive access to independent cybersecurity advisors. Independent security advisors should be used to enhance boards’ cyber knowledge, and also coach CISOs on how to communicate and engage appropriately at board level.
- Actions for regulators, investors and public bodies. Savanti urged for “smart and focused regulation” that places new requirements on boards, such as reporting on their company’s risk management arrangements for cybersecurity. Additionally, other stakeholders like investors should pressure on businesses to take more action on cybersecurity.