One of Warren Buffet’s most famous quotes is: “Only when the tide goes out do you learn who has been swimming naked.”
New SEC rules mandate the public disclosure of board directors’ cyber risk biographies and many experts anticipate seeing lots of bare bodies as 10-K filings roll out. But there’s a drastic gap in cyber expertise at the board director level. According to recent research that my company conducted, we estimate that 90% of Russell 3000 companies don’t even have one board director with the cybersecurity expertise the SEC wants to see. These companies are swimming naked —and many are scrambling to figure out how to cover up.
For the 90% of boards that lack even a single bona fide cyber director, they have three basic actions to choose from. They can recruit new cyber-savvy board directors, retain outside expert advisors or upskill existing directors and officers. Each of these options has pros and cons that boards must carefully weigh.
Option 1: Recruit New Cyber-Savvy Board Directors
The most obvious answer for companies is to recruit new cyber-savvy directors onto their boards. By doing so, they can directly solve their existing expertise gaps and avoid scrutiny from the SEC and the investor community, as publicly releasing new cyber directors’ resumes would instantly signal that things are covered. Having an experienced cyber director on the board enables a company’s leaders to hold confidential and candid conversations that are vital for forming a cyber risk strategy that aligns with the board’s overall risk tolerance levels.
But while this approach seems ideal on the surface, it’s not without its challenges. The reality is that there are precious few board-ready cyber experts. The market is full of technical experts, but many of them have difficulty meeting board-level expectations in terms of strategic thinking and governance mindsets. Companies will have to find qualified candidates and must thoroughly vet them, a process that can take quite some time. Additionally, a board choosing to add an expert with such a niche focus also risks other board members seeing that expert as a “one-trick-pony”—something that most boards seek to avoid, and that could create friction down the line.
Option 2: Retain Outside Expert Advisors
Another option companies have is to engage outside expert advisors at the board level, retaining their services for cyber-specific expertise and insights. The key advantage? By not limiting the selection to a single person to play a director role, boards can assemble a small team of outside advisors with deep expertise in high-priority areas, such as AI in cybersecurity and cloud security. Combined, the knowledge of these experts will help boards identify various cybersecurity risks and develop precise action plans to combat those risks.
Retaining outside expert advisors can be a powerful option. Yet it also comes with some concerns. One glaring concern is that it’s unclear if engaging an outside expert would suffice for SEC disclosure purposes. Boards are required to disclose director biographies but not those of outside experts. So while boards will likely gain much-needed expertise via the hiring of external advisors, they may be left in a tough spot as far as optics with the SEC and the market at large.
Boards deliberating this approach should also consider cost and continuity. Namely, will they pay the premium prices for scarce talent? Will they continue to retain these external experts in a cadence that provides sustained value? Overall, I predict that retaining external advisors may be viewed as a discretionary move by boards—and as such, the practice may languish after the initial flurry of activity in 2023.
Option 3: Upskill Existing Directors and Executives
Finally, some boards may choose to enhance the knowledge of their existing directors and executives. There are industry training programs available to directors that focus on key cybersecurity concepts and provide detailed information about the effective governance of cybersecurity.
Universities are increasingly offering these training programs, placing an emphasis on the intersection of cybersecurity and business. Many of these courses offer solid fundamental education at a reasonable cost and don’t require huge time commitments. Outside of the university realm, there are industry-specific trade and education associations with governance-specific training and certifications that could be useful starting points.
The issue with this option, however, is that cyber risk is a deep domain of study, and people gain board-level expertise over years, often decades, of firsthand experience. There is no substitute for real-world expertise for in-depth cyber strategy formulation and leadership.
Additionally, such training for executives can prove to be a useful accelerator in advancing their skills on board governance and strategic risk management, preparing them for more active engagement with boards. This increased collaboration between executives and boards is an attractive option for most companies in any case. Executives are on the frontlines of leading companies forward, and the more they’re able to interact with their boards, the more savvily they’ll navigate the waters.
Don’t Be Caught Naked
Given that 90% of the Russell 3000 need cyber-savvy directors, that’s a gap of 2,700 directorships.
It will likely take years for companies to catch up – and that’s assuming that all companies need just one cyber board director. Many boards are planning a hybrid combination of all these options, testing what works for their particular situations and iterating from there. Regardless of which of these steps you decide to take for your company, keep in mind that the SEC’s 10-K disclosures are on the horizon. The time to suit up is now.