Society public and private company members responding to the most recent Society/Deloitte Board Practices Quarterly survey provided insights on their board cybersecurity and cyber risk oversight practices.
Oversight structure - Always of keen interest to corporate governance professionals, most respondents (66%) allocate cyber and cyber risk oversight to the audit committee; however, 37% have a combined full board and committee(s) oversight structure.
Board composition - Nearly 71% of respondents report having one or more directors with cyber experience.
Management liaison with the board - Although the principal management liaison with the board on cyber-related matters varies across companies, most companies (65%) say their chief information officer/chief information security officer assumes this role.
Board information - The management team most commonly provides to the board information about cyber vulnerabilities, trends, and metrics. Less than 1% of respondents said their management team does not provide any cyber information to the board.
Management expertise was cited as the #1 resource boards/committees use in their oversight capacity to stay current on the cyber risk environment. Other resources boards use are shown here:
Frequency on the agenda - Cyber and cyber risk are most commonly on the full board meeting agenda annually.
Disclosure - Most companies (85%) voluntarily disclose the role of the board and/or committee in overseeing cyber risks. One-third or more of companies voluntarily disclose board/committee engagement with management on cyber matters (41%); cyber expertise on the board (40%); and cyber policies, procedures and risk management programs (36%).
Shareholder engagement - Less than 8% of respondents said that their major shareholders requested engagement with the board and/or management on cyber-related matters in the past year.
Respondents consisted of Society member corporate secretaries, in-house counsel, and other in-house governance professionals with public companies (89%) and private companies (11%) of varying sizes and industries. Access the survey results online and by company demographics here.
See also Audit Analytics’ “Importance of Internal Controls for Cybersecurity,” reporting that about 30% of public companies that experienced a cybersecurity incident since 2011 disclosed the impacts in a ’34 Act filing (most commonly, Risk Factors); Baker Hostetler’s newly released “2021 Data Security Incident Response Report” (release), revealing network intrusion as the leading cause of the 1,250+ data security incidents the firm helped clients manage in 2020, far surpassing phishing, which the firm had identified as the leading cause for the prior five years; and additional resources on our Cybersecurity/Data Privacy page.
This post first appeared in the weekly Society Alert!