The National Association of Corporate Directors (NACD) recently released the results of its flagship 2017-2018 Public Company Governance Survey, which identifies key areas of concern for corporate directors.
This year’s survey results contain both troubling and encouraging findings concerning the current state cybersecurity risk readiness at public companies.
Not surprisingly, the survey of 587 corporate directors of 520 public companies identified cyber security threats among the top five trends predicted to have the greatest effect on companies over the next 12 months, trailing behind only risksassociated with significant industry change, business model disruption, and changing global economic conditions.
The (somewhat) good news
The encouraging news from the survey is that boards seem to be slowly gaining a better understanding of cybersecurity risks, enabling them to better vet and question the information they receive from corporate management about cyber risks.
This year, 15% of directors believe that their boards have very little or no knowledge of cyber risks, compared with 22% in 2015. By any measure, however, 15% is a remarkably high number for public companies concerning this critical risk.
On a brighter side, it appears that more of today’s corporate directors are not blindly accepting internal reporting concerning their company’s state of cyber readiness. Twenty-two percent (22%) of directors indicated dissatisfaction with the quality of cyber risk information they receive from corporate management. Those directors do not believe that they have adequate transparency into the company’s cyber security problems or that the information they are receiving does not allow for effective internal and external benchmarking.
These should be critical areas of concern for every corporate director, as responsibility and liability for cybersecurity is beginning to reach board levels, as exemplified by the New York State Department of Financial Services (DFS) Cybersecurity Regulation, which contains explicit board responsibilities and mandates written certification of compliance with the regulation by the board or a senior officer. It is widely anticipated that other regulators will follow DFS’s lead and adopt similar regulations, further increasing the cyber risk stakes for corporate directors.
The bad news
The survey also contain some findings that have no silver lining. Only 37% of directors are confident or very confident that their companies are properly secured against a cyber attack, while 60% indicated that they are only slightly or moderately confident. Three percent (3%) responded that they are not at all confident.
In the survey’s Executive Summary, the NACD noted that the lack of board confidence “may be driven by the fact that existing defense systems quickly become obsolete when cyber threats mutate and companies adopt new technologies.”
This year’s NACD survey provides an important reality check for directors and their legal counsel concerning the current state of board awareness and competence relating to cyber risk. Those risks are now firmly on the shoulders of today’s corporate directors.
Indifference to the risks or simply accepting internal reporting about them will not suffice, given their gravity and the financial, competitive, and reputational impact they can have on the enterprise.
Judy Selby, J.D., is a principal of Judy Selby Consulting LLC and a senior advisor at Hanover Stone Partners LLC. She provides insurance consulting, cyber insurance analysis, and insurance coverage expert witness services, with a particular focus on cyber-related issues. She can be reached at email@example.com.
Originally published on LegalTech News. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.