May 21, 2019

Danger, Danger, No Cyber Ranger: Why Boards Need More Cyber Experts

The notification of a data/privacy breach from your company is never well received by stakeholders. After all, no one wants their social security number, healthcare and other private information available for public consumption. Yet, almost daily there is a headline story of personal data inadvertently exposed by employees or hacked by crooks, foreign governments, 15-year-old kids, etc. We’ve learned over the years that cyber intrusions can come from anywhere. Ask Sony Corporation, which experienced a devastating hack in 2014.

Today, every company, no matter how large or small, is using some aspect of the internet. The technology-enabled company is table stakes. Any company using email, cloud computing, supply chain applications, portals (and the list goes on) is a potential candidate of one type of cybercrime or another.

For example, Facebook, a technology company focused on data, analytics and connectivity has reported three significant security breaches in the past six years with data from 500MM users exposed in 2018 alone. The CEOs of Equifax and Target both stepped down after high profile data breaches that sent millions of personal credit data spilling into the dark web. Regrettably, this list goes on and on and on. The big takeaway is organizations can’t stop this. They need to treat cyber-threats as a potential risk to the business. Cyber, like any other aspect of the business, needs to be managed and reported to the board on a regular basis. Another company unprepared for the fallout from a cyber-attack, health insurer Anthem suffered reputational harm when a pair of recently indicted Chinese hackers stole the health identification numbers, dates of birth, social security numbers, addresses and employment information of more than 80MM of its plan members between 2014 and 2015. Data and privacy breaches impact the best run businesses. All of the companies referenced above, and a host of others, continue to address the reputational and monetary damage created by such breaches. In addition, other companies are being held accountable by governments in several regions around the world.

“Today’s world moves at warp speed. Regrettably, corporate reputations can be damaged quickly. Whether it’s a faux pas on social media, a #metoo issue that becomes public fodder or a cybersecurity breach outlasting a 24-hour news cycle, the old saying “an ounce of prevention is worth a pound of cure” can be applicable here. To that end, it is important for boards of directors to understand cybersecurity risks and have a plan in place to quickly and confidently address any breaches. Privacy and data breaches can impact all stakeholders. With employees using personal devices to access work emails, corporate data in the cloud, and hackers becoming more devious, think like a hacker. Stay one step ahead, make cyber a full board issue, and be prepared for the unexpected.”

Dayna Harris, Partner, Farient Advisors

Investors continue to demand more oversight from their portfolio companies’ boards of directors. They are expecting them to work closely with management to set the strategy of the organization, align executive pay with achieving strategic objectives, and have the right skill sets in place at the company to grow, sustain and protect the company. In this Farient Brief, we explore the backgrounds of directors at S&P 500 companies to evaluate the big if: Are companies adding board members with cybersecurity experience, and are they doing this quickly enough to make a difference?

Cybersecurity And The S&P 500

In assessing the cyber expertise of S&P 500 companies at the board level, the Farient team reviewed the backgrounds of current directors. We researched biographies containing keywords and phrases such as “cyber,” “information security,” and “data security.”  Our discoveries are highlighted below. As one might expect, there is some good news and some not so good news.

First, we found very few S&P 500 companies have cyber expert board members who specifically reference these skills. In fact, only 16% of S&P 500 companies currently have a board member who’s a cyber expert. Not surprising, the percentage ranges significantly by sector, with 32% of Information Technology companies identifying cybersecurity experience on their board and only 3% of health care companies reflecting the same.

Percent of Cyber Experts on Boards by Industry

However, here is the good news. Companies are moving in the right direction. We found the number of new board members who are cyber experts according to their biographies has been steadily increasing since 2010. However, the percentage of new board members referencing information security in their bios has remained relatively constant over the past 5 years at about 2.2%.

New Cyber Expert Board Members by Year

Not surprisingly, given our initial observation, the new directors added in the last nine plus years are primarily concentrated in three sectors, Information Technology, Financial Services and Industrials.

New Cyber Experts on Boards by Industry

Conclusion

Information security is becoming one of the most critical areas of board oversight. As investors focus on board composition, diversity of skillsets will continue to be an important issue. Adding cyber expert directors with experience in cyber security, information technology architecture, and implementation is becoming a priority. Boards will be well served to recruit the appropriate talent before there is a crisis.

Our team at Farient recommends five steps to help boards prepare for potential cyber threats.

Five Steps to Manage the Risk of Cyber Threats

  1. Recruit a cyber-expert for your board: Investors want to see diverse skills, and there is no time like the present
  2. Create a Technology Committee for the board: Too many important areas are relegated to the audit committee. Now is the time to build out the technology committee
  3. Bring in the experts: Engage an external firm to perform a cyber-risk assessment and evaluate your leadership talent and organizational infrastructure to address threats. Recognize the power of crisis management. Proper planning prevents poor performance. When something bad happens, it may go beyond the capabilities of [even a great] PR team
  4. Educate all employees about cyber-security risk, from not opening unfamiliar documents, to leaving a computer unattended or disconnecting from the internet overnight
  5. Think like a hacker: Identify where your business is vulnerable, take steps to blunt the opportunity for attack and ensure any security upgrades are communicated, implemented, and uploaded quickly
Tweet
Email
Share