Search
Close this search box.

Media & Insights

FORBES: 90% of Boards Not Ready For SEC Cyber Requirements

CAP Group analysis shows that 90% of Russell 3000 companies lack a director with cybersecurity expertise.

Boards are under increasing pressure to provide sound oversight of cybersecurity risk, but often lack the expertise required to be effective. Using publicly available data from sources including the Wall Street Journal, Ernst & Young, Spencer Stuart, and ISS Corporate Solutions, board advisors at my company recently completed a comprehensive analysis of board-level expertise that shows that up to 90% of companies in the Russell 3000 lack even a single director with the necessary cyber expertise.

Our analysis showed that only 51% of Fortune 100 companies have a director on their boards with relevant cybersecurity experience. The situation in the Fortune 200 and 500 is more concerning: only 9% have cyber-savvy directors. Worse still are the companies in the Russell 3000 smaller than those in the Fortune 500: only 8% have cyber directors. There is a total shortage of 2,724 directors with cybersecurity expertise across all Russell 3000 companies. 

This problem is especially relevant now that the SEC is mandating the public disclosure of director experience in cybersecurity. It is more important than ever for companies to understand cybersecurity risks, changing regulations and ideal characteristics of cyber-savvy directors.

New SEC Rules Are Imminent

The SEC is finalizing regulations that will significantly increase the requirements for the transparency and expertise of boards of directors. Proposed in March 2022 and expected to go into effect in April 2023, the new SEC rules will require increased public disclosure in key areas:

Director expertise: Companies are required to include board directors’ cybersecurity experiences and résumés in public disclosures, such as Forms 10-K and 8-K. 

Cybersecurity risk oversight practices: Companies must disclose governance methods and risk analysis and management processes in SEC filings. 

Details on cyber incidents: Companies must publicly disclose individual incidents deemed “material”—or clusters of small incidents that combine to create a material incident— to the SEC within four days of determining that such a situation has occurred.

These new rules will remove any ambiguity about director competence in this key area and provide the markets at large with a dramatic increase in transparency. While the forthcoming regulations don’t specify minimum requirements, the public disclosure requirements will quickly allow shareholders and regulators to judge for themselves whether director expertise is sufficient. Many boards have a long way to go to ensure this expertise will withstand the new public scrutiny.

Governance Requires Cybersecurity Expertise

Cybersecurity risk is a relatively new entrant to the corporate board landscape, with material risks only emerging in the last 10 to 15 years. While most boards are well-staffed in traditional areas like finance, sales and operations, only a handful have kept pace with the deep and narrow domain of cybersecurity. 

Cybersecurity is a novel combination of technology, crime-fighting and even warfare. Savvy cyber executives understand the fluid nature of attacks and defenses and can understand complex technical topics that are often beyond the grasp of even technology generalists, including many CIOs. 

Boards need to have sufficient understanding of these concepts to ask the right questions, to provide meaningful guidance to executive teams and to interpret performance metrics. While non-cyber directors provide good general oversight, they simply lack the detailed expertise required to protect shareholder interests.

The Target: One Cyber Director per Board

Our analysis sought to identify which boards have at least one director with cybersecurity as a specific domain of expertise in their backgrounds. This expertise could be gained as a technology executive at-large, CIO, CISO or through other relevant experience. 

Ideally, all directors on a board have a fundamental understanding of cybersecurity risks and strategies for protecting the enterprise. But it is important to have at least one director who has demonstrated cybersecurity experience and expertise—allowing that director to guide the rest of the board in understanding:

    • What questions to ask of the executive team.
    • What “good” looks like for minimizing cybersecurity risk.
    • How to monitor cybersecurity performance at a board level.

Cyber-Savvy Directors: Four-Leaf Clovers

Finding the right director for a board is always challenging, but it is especially difficult in this vital area. According to our research, the ideal candidates have a rare combination of four key characteristics:

Cybersecurity-specific expertise: The right director needs firsthand experience and expertise in managing cybersecurity operations and strategy. While generalist technology skills are important, they are simply insufficient. Specific cyber skills are vital.

Strategic perspective: Many with cybersecurity expertise have backgrounds as CIOs or CISOs and have been successful by attending to the details of daily execution. That tactical focus is crucial for success as an executive, but directors must operate at a higher level, providing oversight from a strategic, multi-year perspective.

Governance, not management: The roles of directors and officers are fundamentally different in one key respect. Officers manage, and directors provide oversight. This subtle but important distinction is often a challenge for first-time directors who have grown up through the executive ranks. The successful cyber director will provide insights that focus more on the what than on the how.

More to offer: Cybersecurity expertise is essential, but a board deals with more than just cyber matters. An ideal director is a technical executive who has dealt with not only cybersecurity but also broader technology or digital initiatives, such as increasing revenue or increasing operational efficiency.

Taken together, these characteristics limit the candidate pool dramatically. Finding candidates who meet multiple criteria can be daunting but not impossible. Savvy companies will start taking a hard look at their boards now and determining what changes need to be made. They will see this challenge as an opportunity to address gaps and expand expertise within their boards—to meet SEC requirements and, more importantly, to improve their cybersecurity resilience.

Learn more about The CAP Group or follow me on LinkedIn
See this article on Forbes,  Medium, or Substack
 

Founder and CEO – The CAP Group


Author