Only 5% of companies have a cybersecurity specialist on the board of directors, despite numerous studies showing that there is a strong correlation between robust system protection and significantly superior financial performance, according to a new report from Diligent and Bitsight.
According to this year’s report, there was significant variation between countries in the proportion of organizations with a cybersecurity expert sitting on the board, ranging from 10% in France to just 1% in Canada.
The study observed a significant improvement in cybersecurity performance when these experts are integrated into specialized risk committees. Companies with a specialized professional on an audit or risk committee had an average security performance score of 700 on a scale out of 900, compared to a score of 580 for companies that do not have a cybersecurity specialist on these committees.
The average security rating for companies with specialized committees was 730 and for those with just audit committees, 720. This compared to a rating of 660 for companies without both types of committees.
The countries where companies were most likely to have specialized risk committees were Australia (90%), the United Kingdom (48%), Canada (45%) and France (38%). This correlates strongly with the overall average safety rating by country, with Canada, US, Australia, UK and France making up the top five out of the seven countries analyzed.
The study found a significant improvement in cybersecurity performance when experts are integrated into specialized risk committees.
Companies with cyber experts on a specialized audit or risk committee had an average security performance score of 700 out of 900, compared to a score of 580 for companies that do not have a cyber expert on those committees.
The average security rating for companies with specialized committees was 730 and for those with just audit committees, 720. This compared to a rating of 660 for companies without both types of committees.
The countries where companies were most likely to have specialized risk committees were Australia (90%), the United Kingdom (48%), Canada (45%) and France (38%). This correlates strongly with the overall average safety rating by country, with Canada, USA, Australia, UK and France making up the top five out of the seven countries analyzed.
Security ratings scores are based on Bitsight measurements related to organizations’ ability to prevent cybersecurity incidents over time, which range from 250 to 900. Data is collected across 23 risk vectors, including botnet infections, patch cadence, mobile application security, and open ports. Companies rated as “advanced” (scores of 740 to 900) had much stronger financial performance than companies rated as “basic” (scores of 250 to 630).
Over a three-year period, the average total shareholder return (TSR) for companies with advanced performance ratings was 67%, compared to 14% for companies with basic ratings — more than four times as much. Additionally, over five years, companies in the Advanced Performance Track had an average TSR of 71%, while those in the Basic Performance Track had an average TSR of 37%.
The report presented several potential factors that could explain this correlation, including:
• Some of the companies with high cybersecurity scores are in high-growth sectors such as technology;
• Companies in the advanced security performance segment also have robust governance fundamentals;
Keith Fenner, senior vice president and general manager of EMEA (Europe, Middle East and Africa) at Diligent, said the findings highlight the need for boards and business leaders to develop competency around cyber risk as the area is now a key indicator of financial performance.
“These findings show that cybersecurity is not just an IT issue — it is a business risk that has a material impact on the short-term performance and long-term health of a company, and that management and the board need to stay up to date.” , he added.
The report concluded that highly regulated industries tend to outperform other sectors on cybersecurity performance measures. Healthcare, for example, had the highest average score for security, followed by energy, utilities and finance. The financial sector had the highest proportion of organizations in the advanced security performance range at 33%. This was followed by healthcare (18%), industry (10%), information technology (9%) and consumer (9%).
Source: CisoAdvisor, DilligentInstitute
