Safeguarding Cyber Assets

Corporate Board Member
Third Quarter 2014
To get a better grasp on how U.S. boards are handling cybersecurity roles and responsibilities, NYSE Governance Services, Corporate Board Member and RSA, in association with EY, surveyed more than 200 audit committee members this spring on a variety of issues regarding their cyber risk oversight program.

In a marked turn from a decade ago, the survey found the majority of directors believe that IT/cyber expertise within their ranks is needed. Nearly 60% of directors from our survey said having at least one board member with a specific IT background is necessary to help make sound decisions related to IT risk oversight.

The survey asked directors to choose from among several challenges they currently face with regard to their oversight of IT/cyber risk. Eight out of 10 respondents (83%) stated their biggest challenge is that the sources of risk are constantly changing. In addition, almost half of directors (48%) worry they don’t know enough to ask the right questions.

“Adding IT expertise to the board is a good talent diversification strategy that helps address the knowledge gap among directors. Yet the more complex board challenge that remains is the difficulty of quantifying cybersecurity risk and determining ‘how much is enough?’” says Julie Bernard, principal, Advisory Services, Ernst & Young LLP. The survey asked several questions designed to ferret out directors’ opinions on how well they oversee IT/cyber risk and the results suggest there may be room for improvement. Only 21% of directors say their company has IT risk well under control with regard to a possible cyber breach; the majority (58%) say they “somewhat agree” that it is under control. Moreover, only a quarter of directors say they are quite confident in management’s ability to respond to and mitigate the scope of a cyber security threat. Finally, only 30% say the board is “very effective” at holding management accountable for managing cybersecurity risk; the majority (57%) rate the board “somewhat effective” at holding management accountable.

“Cyber risk is just the latest risk board members must address, and good directors are doing so in the context of the company’s overarching risk management process,” says Erica Salmon Byrne, executive vice president, compliance and governance solutions, NYSE Governance Services, an Intercontinental Exchange company. “Breach plans, drills, and testing protocols are the responsibility of the IT team and leadership team, but directors must be quizzing leadership on how they are approaching cyber risk and where it fits into the company’s risk profile.Without that, the board isn’t fulfilling their obligation to shareholders,” she says. Interestingly, most directors surveyed believe the incidence of damage related to cybersecurity at their company has remained the same (64%) over the last year; only 15% believe it has increased at their organization. By contrast, EY’s Global Information Security data points to higher levels of reported damage incidence, perhaps indicating a lack of communication between companies’ boards of directors and their security teams.

Overall, industry data shows global cyber risk is growing both in scope and severity, yet the survey demonstrates that in practice, boards are not always addressing it as a top priority. Indeed, when asked how often the board discusses topics related to risk and enterprise value, 42% admitted SAFEGUARDING CYBER ASSETS TREND REPORT their board only occasionally discusses cyber/IT security. While cyber security is rising in perception at the board level, there is still much related to cyber risk oversight that directors are grappling with. In today’s environment, experts at EY/RSA maintain, no one defense will create an impenetrable barrier to cyber threats, and therefore it is critical for the board and executive management to regularly evaluate—and reevaluate—their companies’ assets and continually monitor them for potential threats.

For additional findings from this survey, the white paper Managing Cyber Risk: Are Companies Safeguarding Their Assets? may be accessed online at