• Though more than 76% of the surveyed corporate directors say their boards had at least one cybersecurity expert member, only one-third highly regarded their board of directors’ ability to navigate a security disaster.
• Leadership is not as proactive as it should be in getting ahead of incidents. Fewer than half of the board of directors who participated in the study had conducted cybersecurity tabletop exercises in the last 12 months.
The Wall Street Journal and the National Association of Corporate Directors surveyed 472 directors across all industries about their current cyber risk management postures and their respective levels of preparedness. The survey comes in advance of new US Securities and Exchange Commission (SEC) requirements that public companies release uniform reports on cybersecurity risk management, governance, incident reports, and cybersecurity expertise within their board of directors. The survey results paint a mixed picture that reveals a fairly high level of expertise but a largely reactive approach to security.
Most participants thought their management was in good position to manage cyber risk, with 16% rating that capability as “excellent” and 43% grading it as “very good.” However, the Wall Street Journal saw a significant delta in this area between public and private companies. Fifty-one percent of private companies say management was “excellent” or “very good” in shepherding the organization’s risk management strategy compared to 71% of public firms.
While a vast majority (84%) of corporate directors had at least a moderate understanding of their cyber crisis management responsibilities, there were gaps gap in two verticals – the highly targeted energy and utilities sector and professional services firms. Twenty-six percent of professional services firms say they were “not very clear” or “not at all clear” on the part the board should play in responding to a cyber emergency; 21% of energy and utilities admit to the same issue.
While the largest companies have a good understanding of what corporate board responsibilities will be with respect to the new rules, the smaller the firm the hazier that perspective gets. While 50% of large public companies say they were “very clear” and 45% “somewhat clear,” only 60% of smaller businesses have that same grasp.
Fewer than half of all companies have conducted cybersecurity “tabletop exercises” in the last 12 months. These exercises shed light on regulatory responsibilities and simulate potential incidents so they can work through potential mitigation strategies. This underscores the reactive nature to security of most companies, public and private.