Just 5% of businesses have a cyber expert on the board, despite stronger cybersecurity correlating with significantly higher financial performance, according to a new report by Diligent and Bitsight.
There was a significant variation between countries regarding the proportion of organizations with a cyber expert on the board, ranging from 10% in France to just 1% in Canada.
The study observed a significant improvement in cybersecurity performance when these experts are integrated into specialized risk committees.
Companies with cyber experts on an audit or specialized risk committee achieved an average security performance score of 700 out of a maximum of 900, which compared to a score of 580 for those businesses that do not have a cyber expert on such committees.
The median security rating for businesses with specialized committees was 730 and for those with just audit committees, 720. This compared to a rating of 660 for companies lacking both types of committees.
The countries where companies were most likely to have specialized risk committees were Australia (90%), UK (48%), Canada (45%), and France (38%).
This strongly correlated with the overall average security rating per country, with Canada, US, Australia, UK and France making up the top five out of the seven nations analyzed.
The security ratings scores are based on Bitsight measurements relating to organizations’ ability to prevent cybersecurity incidents over time, which range from 250-900.
The data is collected across 23 risk vectors, including botnet infections, patching cadence, mobile application security and open ports.
Stronger Cybersecurity Equates to Better Financial Performance
Companies with ‘advanced’ security ratings (740-900 score) had a much stronger financial performance than companies with ‘basic’ security ratings (250-630 score).
Over a three-year period, the average total shareholder return (TSR) for companies with advanced security performance ratings was 67%, compared to 14% for companies with basic ratings – over four times as much.
Over five years, companies in the advanced performance range had an average TSR of 71%, while those in the basic performance range have an average TSR of 37%.
The report set out several potential factors that could explain this correlation, including:
- Some of the companies with high cybersecurity scores are in high-growth sectors, such as technology
- Businesses in the advanced security performance bracket also possess robust governance fundamentals
Keith Fenner, SVP and GM EMEA at Diligent, said the findings underscore the need for boards and business leaders to build their competency around cyber risk, with this area now a key indicator of financial performance.
“These findings show that cybersecurity is not just an IT problem – it is an enterprise risk that has material impact on a company’s near-term performance and long-term health, and one that management and the board needs to be up to speed on,” he explained.
Cybersecurity Performance by Sector
The report found that highly-regulated industries tended to outperform other sectors in cybersecurity performance measures.
Healthcare had the highest average security score, followed by energy, utilities and financials.
The financial industry had the highest proportion of organizations in the advanced security performance range, at 33%. This was followed by healthcare (18%), industrials (10%), information technology (9%) and consumer discretionary (9%).