Adding Cybersecurity Expertise to Your Board
Most corporate boards lack directors with adequate skills to oversee cyber risk. New SEC regulations make correcting that deficiency more urgent.
Topics
Against a backdrop of persistent cyberattacks, and spurred on by new regulations, corporate boards are scrambling to build better capabilities to oversee cybersecurity risk management.1 While this is good news for healthy corporate governance, it presents immediate challenges to companies looking to identify and recruit new directors with the right mix of skills, experience, and contacts.
Given the significance of cybersecurity risk, increased attention to board skills and composition in this area is overdue. Respondents to PwC’s 2023 Annual Corporate Directors Survey rated cybersecurity risk second only to strategic/disruptive risks as a significant challenge to their board, and 64% reported that they had increased the amount of board meeting time devoted to the topic in the past 12 months. However, only 19% said they had added a new board member with cybersecurity experience in the past year.2
Get Updates on Innovative Strategy
The latest insights on strategy and execution in the workplace, delivered to your inbox once a month.
Please enter a valid email address
Thank you for signing up
Boards of public companies that lack strategic expertise in cybersecurity might be more vulnerable to attacks by cybercriminals, and that exposure will soon be more evident to investors — and potential customers doing due diligence. In July 2023, the U.S. Securities and Exchange Commission adopted new rules that mandate prompt and comprehensive cybersecurity disclosures, beginning with 10-K forms filed after Dec. 15, 2023.3 The new rules mandate disclosures about how cybersecurity risks are identified and managed, and management’s role in implementing cybersecurity policies and procedures. Companies are now required to describe the board’s oversight of risks from cybersecurity threats and board directors’ level of cybersecurity expertise.4 Overall, the new rule is intended to improve investors’ awareness of both risk management practices and material cybersecurity incidents.
Complex, ever-evolving cybersecurity risks that are intertwined with business risks require the focused attention of at least one board director with deep technology and business knowledge and experience. For example, decisions to use emerging technologies such as AI to gain operational efficiencies need to carefully weigh the potential for new security risks.
References
1. “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” U.S. Securities and Exchange Commission, July 26, 2023, www.sec.gov; “National Cybersecurity Strategy,” PDF file (Washington, D.C.: The White House, March 2023), www.whitehouse.gov; and “Executive Order on Improving the Nation’s Cybersecurity,” The White House, May 12, 2021, www.thewhitehouse.gov.
2. “Today’s Boardroom: Confronting the Change Imperative,” PDF file (London: PwC, 2023), www.pwc.com.
3. “Fact Sheet: Public Company Cybersecurity Disclosures; Final Rules,” PDF file (Washington, D.C.: U.S. Securities and Exchange Commission, 2022), www.sec.gov.
4. M. Galligan and C. Oven, “A New Chapter in Cyber,” Deloitte, June 2022, www2.deloitte.com.
5.“Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA),” Cybersecurity & Infrastructure Security Agency, accessed Nov. 21, 2023, www.cisa.gov.