Blogs

Nasdaq’s new “U.S. Boards Through the Lens of Cybersecurity” imparts an abundance of share-worthy benchmarking data – replete with instructive examples - about board cybersecurity oversight practices based on a review of S&P 100 proxy disclosures for the 2019 proxy season filed as of June 1st.

Key findings include:

- Board structure & operations

• Structure: 88% of boards assign cybersecurity oversight to at least one committee – typically the Audit Committee. The balance that charge at least one board committee with this responsibility assign it most commonly to Risk, Technology or Compliance-focused committees.                                  
• Management reporting: 27% of companies identify at least one executive who reports to the board or a board committee – most commonly the CISO. 13% of companies disclose a specific reporting frequency to the board or board-level review, e.g., annually, quarterly.
• Expertise: Most companies emphasize having a “strong ‘tech savvy’ board” in lieu of cyber experts.

- Committee organization & composition

• One-third of cyber oversight committees include a board leader – typically the lead independent director.
• 78% of committees with cybersecurity oversight identified at least one director with a cyber or tech (72%) or risk (41%) background.
• Directors specifically charged with cybersecurity oversight tend to be at the younger end of the age spectrum (i.e., ages 50 – 63, as compared to 64 – 70, and 70+).

- Recent activities

• 27% of companies disclosed the board’s recent cybersecurity activities, with the top three consisting of:
• Discussion of cybersecurity as part of the company’s investor engagement conversations
• Cybersecurity was an investment priority or key area of focus in the past year.
• New directors with relevant expertise were added to the board.