Investors Are Worried About Cybersecurity: What Boards Should Do
With breaches, billion-dollar regulatory fines, credit downgrades, and share price declines dominating the headlines, board members are not the only ones who are worried about cybersecurity.
Investors are worried, too—and the drumbeat is getting louder. Almost two-thirds of the world’s institutional investors are concerned about the impact of cybersecurity threats on their investments, making cyber issues investors’ top environmental, social, and governance risk, according to the 2019 RBC Global Asset Management Responsible Investment Survey. As reported in a recent Ernst & Young Global survey of institutional investors with more than $35 trillion in assets under management, cyber risk is the number-three threat to portfolio companies’ strategic success over the next three to five years. And even the world’s greatest investor, Warren Buffet, commented within the past few years on cybersecurity: “There’s a very material risk which didn’t exist 10 or 15 years ago and will be much more intense as the years go along.”
What do investors want? More information from companies about their cybersecurity performance. What investors are currently getting is inconsistent, boilerplate information with significant gaps; the lack of data and transparency is leading to increased frustration and concern throughout the investor community as breaches pile up and risks remain unknown. Similar to the growing demand for sustainability and governance information, investors want real, quantifiable, and objective data and metrics about cybersecurity performance. How much is the organization spending on cybersecurity? How effective are the security measures? Have they experienced an incident?
For board members, this may sound all too familiar. In many ways, what investors desire by way of data and insights are exactly the data and insights that the board struggles to access. And the lack of measurable data is having a negative impact on the board’s ability to understand and manage cybersecurity. In a new study from Swiss Re Institute and GEC Risk Advisory, 90 percent of executives reported a “limited understanding” of cyber resilience at their companies. This mirrors previous board-level surveys, including a 2016 study conducted by Stanford Law School which found that 91 percent of board members actually can’t interpret their company’s cybersecurity reports. It is an issue we hear time and time again from board members: While surveys suggest that the board’s understanding of cyber risk continues to improve, the information that security and risk professionals provide in their board reporting is still far too technical for directors to digest.
On the one hand, security professionals need to change the way that they communicate security performance information and focus on the metrics that matter. But while the chief information security officer must do better, so too must the board member. Ultimately, the board is responsible for getting the right type and level of insight into the security posture of the company and ensuring that information is effectively communicated to investors to provide greater assurance.
So, what should board members do? They can start by seeking answers to two critical questions:
1. Do we have a strategy to minimize a material cyber incident? Not all cyberattacks are meaningful. A material cyber incident is one that would have an impact on an investor’s investment decision-making. The loss of valuable intellectual property, blueprints, research and development, or critical customer data? The disruption of information technology infrastructure, causing delivery failures? These are the incidents that demand the board’s attention and are at the forefront of investors’ focus and concern. In collaboration with senior management, the board should be involved in the development of a cyber-risk management strategy with the goal of preventing a material cyber incident from occurring. This strategy should include approaches to mitigate risk through technology, training, and policies; transfer risk through the acquisition of cyber insurance; and consciously accept risk knowing that not all risks can be remediated. By focusing on the most critical risks, boards can communicate more effectively with investors about strategic initiatives, which should provide confidence that the company is focused on the right things.
2. How do we measure the effectiveness of our cybersecurity program? Boards should be leveraging a variety of performance metrics (see the NACD Director’s Handbook on Cyber-Risk Oversight, pp. 60-62) that are well understood by directors, including strategic, operational, and tactical metrics that help communicate the effectiveness of the organization’s program. One critical metric to include is independent peer benchmarking to provide a context for the company’s performance. The importance of benchmarking cannot be overstated. According to the Council of Institutional Investors’ 2016 Prioritizing Cybersecurity guide, significant disparities in cybersecurity performance between a company and its peers “may signal that the company’s existing strategy is ill-suited to its size or industry, is not being carried out effectively by management or personnel, or involves security controls and/or technology that have not been deployed or configured properly.”
The board’s role is critical in overseeing cybersecurity, but also in effectively communicating to investors and other stakeholders. Board members can do their part by focusing on these two critical questions, changing the way that they understand cybersecurity, but also taking a step toward creating a stronger relationship with investors on this most critical issue.
Jake Olcott is vice president of communications and government affairs at BitSight.
Jake Olcott is vice president of communications and government affairs at BitSight. Jake has held a number of leadership roles at BitSight since joining the company in 2015. Prior to BitSight, Jake served as cybersecurity attorney to the Senate Commerce Committee and House Homeland Security Committee. He previously consulted with Fortune 1000 executives on cyber risk management and served as an adjunct professor at Georgetown University.