Board Practices Quarterly
2021 Cyber Oversight
May 2021

In September 2020, Deloitte and the Society for Corporate Governance announced the collaborative launch of the Board Practices Quarterly, a new series of periodic reports based upon brief surveys of Society members. The Quarterly replaces our long-standing Board Practices Report to bring you insights and benchmarking data more frequently.

With breaches continuing to dominate the headlines, cyber-security and cyber risk remain among the top areas of investor, regulator, consumer, and other stakeholder focus, with growing pressure for businesses of all types and sizes to articulate how they are actively managing and mitigating the risks. Boards are expected to be well-informed about their company’s cyber posture and to demonstrate effective oversight. These pressures and expectations have multiplied with new challenges prompted or accelerated by the COVID-19 pandemic, such as remote work, increased use of personal devices, use of new technologies that may lack security protections, budget and resource constraints, and expanded scope cyberattacks that have flourished in the changed environment.

This issue of the Board Practices Quarterly presents findings from a March 2021 survey of in-house members of the Society for Corporate Governance about how their companies’ boards oversee cybersecurity and cyber risk—including matters relating to board composition and structure, management’s reporting to the board, board information sources, and shareholder engagement—as well as voluntary corporate disclosure practices.

Findings

Respondents, primarily corporate secretaries, in-house counsel, and other in-house governance professionals, represent public companies (89%) and private companies (11%) of varying sizes and industries.¹ The findings reflected in the bar charts pertain to all companies, public and private. Where applicable, commentary has been included to highlight differences among respondent demographics. The actual number of responses for each question is provided.
  
¹ Public company respondent market capitalization as of December 2020: 40% large-cap (which includes mega- and large-cap) (> $10 billion); 47% mid-cap ($2 billion to $10 billion); and 13% small-cap (includes small-, micro-, and nano-cap) (<$2 billion). Private company respondent annual revenue as of December 2020: 50% large (> $1 billion); 25% medium ($250 million to $1 billion); and 19% small (<$250 million). Respondent industry breakdown: 25% consumer; 34% energy, resources, and industrials; 22% financial services; 10% life sciences and health care; and 9% technology, media, and telecommunications.

Throughout this report, in some cases, percentages may not total 100 due to rounding and/or a question that allowed respondents to select multiple choices.

Select any statements that reflect your board’s current composition as it pertains to cyber experience. Select all that apply.
(130 responses)

About 70% of large-, mid-cap, and private companies report having one or more board members with cyber experience. About 57% of small-caps said one or more board members have cyber experience. Among public companies, 11% said cyber experience is a top recruitment priority in the next one to two years, whereas no private companies reported this as a recruitment priority.

Which of the following board committees oversee cyber and cyber risk at your company? Select all that apply. (129 responses)

Nearly 69% of public companies reported that the audit committee oversees cyber and cyber risk, followed by 39% of public companies that assign oversight to a combination of the full board and committees.

Indicate who within management serves as the principal liaison with the board and/or one or more committees on cyber-related matters (e.g., provides reports and updates to the board and/or a board committee). Select all that apply. (126 responses)

For small-caps, the principal management liaison was evenly split between the chief information officer/chief information security officer and chief financial officer, at 50% each, followed by the general counsel or chief legal officer and chief technology officer (or equivalent) at 29% each. For all other companies, the chief information officer/chief information security officer was most commonly cited as the principal liaison, followed by the chief technology officer or equivalent.

What information does the board typically receive from the management team as it pertains to cyber? Select all that apply.
(124 responses)

The majority of public and private companies reported that the board receives some form of information from management on cyber—most commonly, vulnerabilities, trends and metrics. Most private companies also identified spend on prevention and detection efforts as information the board typically receives from management. Some respondents noted other information provided to the board, including preventative measures implemented; any significant potential breaches; information on third-party testing and assessments; and information related to management- and auditor-led tabletop exercises with the board.

Describe the frequency of cyber and cyber risk on full board meeting agendas (vs. those addressed at the committee level).
(126 responses)

Cyber is on the agenda annually for 40% of large-cap and 52% of mid-cap companies. The remainder of responses for these market caps was spread across quarterly, biannually, and other. For small-caps, the most common responses, both at 36%, were quarterly and other. Nearly 77% of private companies said that cyber and cyber risk is on the full board meeting agenda annually.

What resources does the board/committees that oversee cyber use to stay current on the cyber risk environment? Select all that apply.
(123 responses)

Management expertise was cited as the most common resource the board uses to stay current on cyber risk, as reported by more than 90% of large- and small-cap companies and 85% of mid-cap and private companies.

More than half of large- and mid-cap companies and private companies and nearly 70% of small-cap companies reported the use of outside/external advisers and relevant briefings and publications provided by management.

About 50% of public companies cited cyber expertise on the board compared with 31% of private companies.

Among all market caps and private companies, more than 36% reported board in-person or online education as a resource.

What information does your company voluntarily publicly disclose about cyber matters? Select all that apply.
(116 responses)

Across market caps, the role of the board and/or a committee in overseeing cyber risks was the most common voluntary disclosures, reported by more than 90% of large- and mid-cap companies and 77% of small- cap companies, compared with 22% of private companies.

For private companies, the most common information voluntarily disclosed consisted of cyber policies, procedures, and risk management programs at 33%. This same type of disclosure was reported by 43% of large- cap, 35% of mid-cap, and 23% of small-cap companies.

Disclosure of cyber expertise on the board was reported by 52% of large-caps, 40% of mid-caps, and 15% of small- caps. For private companies, this disclosure was 11%.

Disclosure of board or committee engagement with management on cyber matters was reported by nearly half of large-cap companies and more than one-third of mid- and small-cap companies.

Have any of your company’s major shareholders requested to engage with the board and/or management on cyber- related matters in the past year? Select all that apply.
(118 responses)

Only 17% of large-cap companies reported shareholder requests to communicate directly with management. The vast majority of public and private companies reported that there were no requests to communicate directly with the board and/or management, ranging from 79% for large-cap companies to nearly 100% for small- and mid-cap companies.