January 24, 2023 – In a new report that anticipates the Securities and Exchange Commission’s (SEC) finalizing new rules for boardroom cybersecurity accountability and expertise, DHR Global is raising concerns about the lack of such protections at public companies of all sizes. “Where entire boards have cyber oversight, it’s a nightmare as directors struggle to learn the evolving cyber landscape and NACD or NIST policies, as well as recommended board practices, all while worrying about external breaches,” said Kathryn Ullrich, managing partner in DHR’s tech-focused Silicon Valley office and a member of the technology and diversity practices.
“We believe most public companies of all sizes are ill-prepared for upcoming SEC regulations on cybersecurity and risk assessment,” said Heather Smith, partner in the board and CEO practice at DHR. “It’s obvious that a sea change is underway at the board level. As a result of the SEC identifying the need and issuing new guidance, we’ve already had a number of boards looking to hire CISO board directors who understand the latest vulnerabilities and best strategies on cyber risk.”
In its proprietary research into how America’s top 500 public company boards of directors are managing cybersecurity threats, DHR Global found that only 1.4 percent (seven out of 500 companies) said they have a current or former CISO on their board. Just one-quarter (23 percent) of the companies said they have a current or former chief information officer on their boards. In addition, the vast majority (65 percent) assigned their audit committees to take on the added responsibility of directing and reporting on cybersecurity.
Approximately half (48 percent) said that their board members have cybersecurity skills, although seven percent of those didn’t identify where these skills reside. One-quarter (24 percent) said they are assigning cyber oversight to their full boards. Only 12 out of 500 companies, or 2.4 percent, said they have created cybersecurity committees. In addition, only 11 out of 500 companies assigned their risk committees to oversee cybersecurity.
“These findings are in line with what I’m hearing from companies that are looking for individuals who have recent cyber experience, which they describe as within the last two years,” said Ms. Ullrich. “Some companies have cyber experience without CISOs and would get credit for meeting the expected SEC guidelines. An overwhelming majority of the inquiries, however, are from boards that don’t have any functional technical experience – even in the form of CIOs – and are suffering as a result.”
Kathryn Ullrich is a managing partner in DHR’s tech-focused Silicon Valley office, and a member of the technology, professional services, private equity and diversity practices. She focuses on CEO, COO, C-suite and VP-level executive leaders with skills in disruptive and innovative technologies such as AI, autonomous vehicles/future mobility, cloud services, cybersecurity, data analytics, healthcare technology, IoT, payments and SaaS. She also has a search specialty in CIO, CISO, Chief Data Officer and information technology executives for leading academic and academic medical institutions.
Reportedly, the SEC’s new rules regarding boardroom cyber accountability are expected to be finalized early this year. The changes will go beyond the National Association of Corporate Directors (NACD) guidelines, which generally reference the need for cyber threat discussions, the legal implications of incidents, having access to independent experts, understanding expectations of management and the board, and how to manage risk in a world where total cybersecurity is unrealistic.
Similarly, for some years, boards have referred to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This voluntary and customizable approach has five concurrent stages to respond to cybersecurity risks: identify, protect, detect, respond, and recover. The framework serves as a best-practice guide for raising awareness about cybersecurity and the importance of effective communications for internal and external stakeholders.
DHR Global says it has seen an uptick in the requirement for cybersecurity specialists to join boards, even before the SEC’s new rules took focus. The firm says it has been actively concentrating on what the right cybersecurity expertise encompasses at the board level, how it will dovetail with other board positions such as the chief information officer, and is recommending its clients get ahead of the new rules by recruiting highly qualified chief information security officers to take their seats at the table as board directors.
For many, DHR findings were eye opening, indicating a need for SEC cybersecurity standardization and oversight.
Cyber Experts on the Board
According to DHR’s research, 238 companies disclosed the personal profiles of 443 individuals who brought cyber expertise to the boardroom. A significant proportion of the cyber experts (58 percent) had prominent roles in the C-suite, including CEO, chief operating officer, chief financial officer and other executive positions. Another group of 77 individuals (17 percent) held senior executive titles such as executive vice president, senior vice president, vice president, and general counsel.
Related: The Evolving Role of CISOs
The DHR report found that another 45 individuals (10 percent) were active on various boards as professional board members; however, most had not held an executive role in the last decade. Other professionals gained cyber expertise from their previous careers in the military (seven percent), government (five percent) and academia (less than three percent).
Boards with a CISO or CIO
DHR further investigated the number of CIOs and CISOs who are on boards now because of the technical nature and rapid rate of evolution for cyber risk. In conversations with board members, the firm learned about some who are considered to be cyber experts because they were technology industry executives – albeit not from technical fields.
As a member of the board & CEO practice at DHR, Heather Smith works with clients to successfully place C-level executives, chairmen, CEOs and board directors. She is based in Chicago. Ms. Smith works with public, private and private equity-owned corporations across industries to build and refresh boards and execute CEO succession plans.
DHR also learned about audit committee members who lack technical expertise as well as lengthy audit committee reports that had a single page devoted to cyber risk. “These board members are scrambling to learn cybersecurity and cyber risk because they’re perceived as the most technical board members,” the report said. “The problem is that they don’t have cyber expertise.
It’s surprising that only seven out of the top 500 U.S. public companies have a board member who is a current CISO or previously held this title. One-quarter of the pool includes at least one current or prior CIO as part of the board team.”
Since CISOs and CIOs have comprehensive skills in cybersecurity and information technology security, DHR said it expects that more companies will add at least one of those roles to their boards.
DHR emphasized that the 500 largest U.S. public companies should be leading the way in demonstrating cyber expertise on their boards, yet its research shows that even these companies may not have the required expertise to address increasing risks from cybersecurity threats.
“In the absence of federal oversight, companies have been left to figure out how to respond to cyber-related risks,” the DHR report said. “This has resulted in a crazy patchwork of approaches and a broad range of people who have various job titles and expertise and are expected to lead the oversight of cybersecurity risk. These issues will only be compounded for smaller and mid-cap public companies that have similar resources and face cyberattacks.”
DHR has also seen companies that don’t focus fully on cybersecurity. As a recent Harvard Business Review article, “Is Your Board Prepared for New Cybersecurity Regulations?” noted: “Most organizations … focus on cyber protection rather than cyber resilience. … Resiliency is more than just protection; it’s a plan for recovery and business continuation. Being resilient means you’ve done as much as you can to protect and detect a cyber incident and you’ve also done as much as you can to make sure you can continue to operate when an incident occurs. … The ultimate goal of a cyber-resilient organization would be zero disruption from a cyber breach.”
DHR Global suggested that boards consider the depth of their members’ cybersecurity knowledge to effectively manage risk from cyberattacks. “A few of our clients have seen firsthand that when boards appoint a CISO or CIO board director who has recent, relevant industry expertise and create a cybersecurity committee to manage risk, they improve their companies’ security and resiliency,” DHR said.
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media