September 30, 2020
September 30, 2020
With breaches, billion-dollar regulatory fines, credit downgrades, and share price declines dominating the headlines, board members are not the only ones who are worried about cybersecurity.
Investors are worried, too—and the drumbeat is getting louder. Almost two-thirds of the world’s institutional investors are concerned about the impact of cybersecurity threats on their investments, making cyber issues investors’ top environmental, social, and governance risk, according to the 2019 RBC Global Asset Management Responsible Investment Survey. As reported in a recent Ernst & Young Global survey of institutional investors with more than $35 trillion in assets under management, cyber risk is the number-three threat to portfolio companies’ strategic success over the next three to five years. And even the world’s greatest investor, Warren Buffet, commented within the past few years on cybersecurity: “There’s a very material risk which didn’t exist 10 or 15 years ago and will be much more intense as the years go along.”
What do investors want? More information from companies about their cybersecurity performance. What investors are currently getting is inconsistent, boilerplate information with significant gaps; the lack of data and transparency is leading to increased frustration and concern throughout the investor community as breaches pile up and risks remain unknown. Similar to the growing demand for sustainability and governance information, investors want real, quantifiable, and objective data and metrics about cybersecurity performance. How much is the organization spending on cybersecurity? How effective are the security measures? Have they experienced an incident?
For board members, this may sound all too familiar. In many ways, what investors desire by way of data and insights are exactly the data and insights that the board struggles to access. And the lack of measurable data is having a negative impact on the board’s ability to understand and manage cybersecurity. In a new study from Swiss Re Institute and GEC Risk Advisory, 90 percent of executives reported a “limited understanding” of cyber resilience at their companies. This mirrors previous board-level surveys, including a 2016 study conducted by Stanford Law School which found that 91 percent of board members actually can’t interpret their company’s cybersecurity reports. It is an issue we hear time and time again from board members: While surveys suggest that the board’s understanding of cyber risk continues to improve, the information that security and risk professionals provide in their board reporting is still far too technical for directors to digest.
On the one hand, security professionals need to change the way that they communicate security performance information and focus on the metrics that matter. But while the chief information security officer must do better, so too must the board member. Ultimately, the board is responsible for getting the right type and level of insight into the security posture of the company and ensuring that information is effectively communicated to investors to provide greater assurance.
So, what should board members do? They can start by seeking answers to two critical questions:
The board’s role is critical in overseeing cybersecurity, but also in effectively communicating to investors and other stakeholders. Board members can do their part by focusing on these two critical questions, changing the way that they understand cybersecurity, but also taking a step toward creating a stronger relationship with investors on this most critical issue.
Jake Olcott is vice president of communications and government affairs at BitSight.
NACD: Tools and resources to help guide you in unpredictable times.