In this report: “State of Cyber Awareness in the Board Room,” NightDragon and Diligent revealed the results of their analysis of the backgrounds of S&P 500 directors with reference to cybersecurity experience or exposure.
Key findings include:
The majority of boards—“Category 3” (for purposes of the pie chart below)—have at least one director with some adjacent connection to cyber, but no direct previous experience in a practitioner cybersecurity or technology role.
Examples include directors who: (i) have served on the board of another IT/ cyber industry company; (ii) have completed cyber education, belong to cyber associations or committees, or have some other cyber affiliation; or (iii) have some tech and/or IT experience, but not in a C-level role, and not specific to cybersecurity.
Nearly one-third of boards—“Category 2”—have directors with technology, but not necessarily cyber, expertise. Examples include: (i) current or former CIOs of companies that do not offer cybersecurity services; (ii) CTOs; and (iii) SVPs of IT.
Of the 12% of boards (60 companies) characterized as having cyber experts—“Category 1”—seven boards have a current or former CISO. The balance of the cyber expert directors may consist of, for example, current or former CIOs or CEOs of cybersecurity services companies.
According to a different analysis conducted by the WSJ of S&P 500 directors (based on data from FactSet), as of August 31, 2023, 107 directors at 113 companies (compared to 86 directors at 91 companies as of November 2022) had professional cybersecurity experience. Of those directors, 82 have experience in an executive role, including eight with experience as CISOs and 68 as CIOs, and 25 either held a senior government role in cybersecurity or led and/or founded a cybersecurity company.
As shown above, directors with professional cybersecurity experience are more concentrated in the Financials, IT, Industrials, and Consumer Discretionary industries.
Editor’s Note: Notably, the SEC’s final cybersecurity rule does not require board cyber expertise disclosure, as initially proposed. The Society was among many commenters, including the SEC’s own Investor Advisory Committee, who did not support this disclosure (see “SEC Investor Committee”).