Introduction
Cybersecurity has become a critical concern for the board of directors. Driven by increasing regulatory scrutiny, most notably the Securities and Exchange Commission’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule, companies are under pressure to share more information with investors.
To understand how large-cap U.S. corporate boards oversee cybersecurity risk, I analyzed the most recent proxy statements and corporate governance documents of S&P 500 companies as of February 16, 2024. The reports revealed significant variations in governance practices and disclosure levels, but also provided valuable insights for senior executives and board directors about how the most valuable public companies approach cyber risk.
Board Committee Oversight of Cybersecurity
The main question the research sought to answer was how cyber risk was being overseen at the board level and the results were resounding. The majority of S&P 500 companies (71%) delegate cybersecurity oversight to their audit committees.
This trend is consistent across various sectors, though notable exceptions exist. For example, the financial services industry predominantly assigns cybersecurity oversight to risk committees, reflecting the sector's emphasis on risk management.
Many authorities, including the National Association of Corporate Directors, recommend that cyber risk oversight is a full board issue. However, the research identified only 41 companies that agreed, including Microsoft, JP Morgan Chase, McKesson and Pepsi. Other experts recommend companies have a dedicated cybersecurity committee to fully examine the risks, primarily within the information technology and consumer discretionary sectors. These specialized committees often emerge following significant cybersecurity incidents, indicating a reactive approach to governance.
Download the report (PDF, 4 pages)
Disclosure Practices in Proxy Statements
The research assessed the content of companies' cybersecurity programs and practices contained in the disclosure. While 79% provided some information, the depth and breadth varied considerably:
- Only one in five specified the frequency of cybersecurity briefings to the board, and then with limited value. Often just stating "regularly."
- Almost one-third of companies disclosed having employee security awareness training programs, a minimum step every company should have implemented.
- Few companies reference adherence to industry standards such as the NIST cybersecurity framework or ISO 27001, and only four companies explicitly mentioned their progress towards implementing zero trust principles.
- Seventeen companies emphasized the expertise at the board level by highlighting individual directors' cybersecurity qualifications.
- Fewer than one in 12 companies reported having had no material cyber incidents within a defined period; less than 1% acknowledged having experienced a significant cyber incident.
The findings suggest many companies could substantially improve transparency around their cybersecurity governance, risks, controls, and preparedness. More broadly, public companies could disclose information on certain topics, such as the frequency of CISO reports to the board, and whether any directors hold relevant qualifications, to allow investors to make a more straightforward comparison between organizations.
Download the report (PDF, 5 pages)
Disclosing Director Cybersecurity Expertise
Despite the SEC draft proposal to mandate disclosure of board members' cybersecurity expertise, the final rule omitted this requirement. The research suggests the SEC should reconsider this decision, because boards have not been transparent about director expertise in this area.
Only 17% of S&P 500 companies listed cybersecurity as a standalone skill in their board skills matrices. Instead, many companies bundled cybersecurity with other skills like technology or risk management. This approach can overstate directors' true cybersecurity proficiency. On average, companies listing cybersecurity as a standalone skill in the matrix had 4.4 directors with the skill; when cybersecurity/technology & innovation were bundled together, an average of six directors held the skill; and when cybersecurity was included as part of a skill named risk management, an average of 9.7 directors had the skill.
The research showed the need to carefully define cybersecurity expertise, requiring it as a discrete matrix skill, and justifying how directors gained skills in individual biographies.
Download the report (PDF, 4 pages)
A Work In Progress
The research underscores the evolving landscape of cybersecurity governance in large-cap U.S. companies. While many companies have made strides in enhancing board oversight and transparency, significant gaps remain. For senior executives and board directors, the findings highlight the need for a proactive, informed approach to cybersecurity governance. By fostering greater transparency and aligning practices with industry standards, companies can better manage cyber risks and meet the expectations of regulators and investors.
To learn more about improving cybersecurity risk oversight at the board level, please download Seven Steps for Board of Directors: Guide to Effective Cyber Risk Oversight, written by experienced directors Andy Brown and Helmuth Ludwig.