With Cyber Security Awareness month set to kick off on October 1, a new survey finds that the boards of U.S. companies should pay attention. The Wall Street Journal reports that an analysis by software provider Diligent found 88% of companies listed on the
S&P 500 have no directors who are cyber security experts.
The survey defined “experts” as those who had served as a Chief Information Security Officer (CISO) or who had technology experience, including those who had previously held senior roles in technology. The survey also found that 52% of companies had at least
one member of the Board of Directors with technology experience “adjacent to cyber security.” NightDragon CEO Dave DeWalt, who commissioned the survey with Diligent, said, “This lack of momentum in the boardroom continues to startle me.”
Without Leadership, Cyber Security Will Continue to Fall Short
If 100% of companies listed on the S&P 500 use technology, 100% should have some cyber security expertise on their boards of directors. These boards exist to set company priorities and guide business growth. Without directors who understand the ever-evolving
strategies and techniques used by cyber criminals, it is difficult to take their security measures seriously.
New Securities and Exchange Commission cyber attack reporting rules that went into effect on September 5, 2023, may push some companies to pay closer attention to online security. The rules are a step in the right direction, but they fall short in one regard:
A provision that would have required companies to detail cyber security experience on their boards was dropped from the final regulations. The SEC dropped this provision amid complaints that a specific level of expertise was not defined in the rules, that
an insufficient number of cyber security experts were available to hold director positions and that the requirement might limit diversity on company boards.
In other words, the Federal government backed off a sensible requirement because businesses said they could not find the right people. The gap in leadership starts with Federal regulators, then trickles down to the companies that face cyber threats.
Shareholders Must Take Notice
One benefit of the new SEC reporting rules is a requirement that publicly traded companies report cyber attacks and their impact on business activities. Shareholders should use this information to probe expertise and cyber awareness of the companies whose
stock they hold. Effective immediately, a search of a company’s filings in the EDGAR Database will reveal the number and severity of recent cyber attacks for any publicly traded company. Companies that suffer repeated attacks, or that suffer easily preventable
attacks, should be held to account on their security practices and training.
Shareholders have the right to question company leadership and to demand change if they feel threats are not adequately addressed. The SEC disclosure rule puts the needed information in shareholders’ hands, but it is only valuable if shareholders use it
to demand accountability.
Not every company needs a CISO on its Board of Directors, but every company should strive to have at least one director with significant cyber experience who can evaluate threats and risks. When that expertise is not available, companies must outsource experienced
All too often, companies fail to take action until after a cyber attack occurs. Criminals know this and see U.S. businesses as ripe targets for data theft and ransomware extortion. Solving this problem requires every U.S. business to see security as more
than occasional employee training and software updates. The larger the company, and the more it relies on technology, the more critical the need for a comprehensive cyber strategy.
Small businesses have a role to play as well, as they are part of the overall “threat surface” for their clients and partners. Many companies have received letters from partners in recent weeks asking about their security practices and protocols as publicly-traded
companies ramp up their compliance.