A recent survey conducted by NYSE Governance Services in cooperation with security vendor Veracode is creating a buzz. The survey of nearly 200 directors of publicly traded companies offered some interesting insight into how cybersecurity is viewed at the board level.
The attention being paid to cybersecurity is evidenced by the fact that 80 percent of the respondents said cybersecurity is discussed at nearly every board meeting. That level of attention is consistent with the finding that two thirds of the directors surveyed are “less than confident” that their companies are “properly secured” against cyber attacks. Perhaps the single most compelling finding of the survey came in response to the question “Who do you hold accountable when a major breach occurs at your company?” The directors made it very clear that the CEO has primary responsibility for the company’s capability to defend itself against cyber breaches. The aftermath of breaches at SONY and Target may be setting a harsh precedent for expectations of how CEOs must handle response.
Not surprisingly, the top concern associated with a cyber attack is the potential for brand damage. The loss of brand value consistently is ranked as a leading concern for corporate boards, but reputation historically has been viewed as an intangible asset whose value is difficult to measure. Deloitte’s 2014 global survey on reputation risk quotes a World Economic Forum study that states on average more than 25 percent of a company’s market value is directly attributable to its reputation. Boards now seem to be recognizing that maintaining reputation through effective mitigation of damage is far preferable to and much less expensive than working to restore reputation.
Directors clearly have gotten the message that vendors and suppliers can be a substantial source of cyber risk. Over 70 percent of those surveyed by NYSE Governance Services and Veracode said they have significant concerns related to risk imposed by third party software in their systems.
The survey offers another sobering reminder of how rapidly cyber risks are changing corporate culture and shaping the conversations in the board room and the C suite.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
June 2, 2015