As reported in last week's Society Alert, according to the recently-released 2016 Board Practices Report, a collaborative board practices benchmarking effort between the Society and Deloitte LLP's Center for Board Effectiveness, cyber is the #1 risk respondents' boards are focused on by a significant margin (73%), followed by finance/legal risks (59%), and product risks (35%).
Additional noteworthy cyber practices-related findings include:
- The Audit Committee most commonly oversees cybersecurity issues (54%) - followed by the full board (23%). However, those overall figures are subject to significant industry- and company size-specific swings, with almost half of all Financial Services companies allocating oversight to a Risk Committee, and small-caps and mid-caps being much more likely than large-caps to retain oversight at the full board level (30% and 27%, respectively, compared to 16% for large-caps).
- 14% of respondents' boards added a director with cyber experience in the past two years. 20% are reportedly seeking directors with tech/IT experience, while 10% are reportedly seeking directors with cybersecurity experience specifically.
- 26% of boards receive reports on cybersecurity annually; 19% at each regular board meeting; 27% based on some other frequency; and 27% on an as-needed basis.
- The three most common issue types reported to the board/board committee are data security (88%), system infrastructure (82%), and data privacy (71%).
- The CISO (48%) and CTO (32%) are most commonly responsible for reporting on cybersecurity to the board.
- Cybersecurity and cyber risk were cited as the fourth most common education topic for new and existing directors - ranked just after board fiduciary duties and other responsibilities, and the #1 audit committee education program topic over the past year.
The iconic Board Practices Report - which presents findings from a survey distributed to the Society's public company members in late 2016 - covers trends in over 15 areas of board practices and hot topics including cyber risk, shareholder activism, and board diversity.
Watch for our report in this week's Society Alert on the findings of a recent NYSE/Diligent directors survey on board communications-related cybersecurity practices and associated recommendations, and see this article: "Cybersecurity Experts are Populating American Boardrooms," and our heaps of board cybersecurity oversight, benchmarking, and other resources on our Cybersecurity/Data Privacy topical page.