Survey unveils major gap in the way CEOs manage cyber risks

A recent Carnegie Mellon University CyLab survey of corporate board directors reveals a gap in board and senior executive oversight in managing cyber risks.

Based upon data from 703 individuals (primarily independent directors) serving on U.S.-listed public company boards, only 36 percent of the respondents indicated that their board had any direct involvement with oversight of information security.

The survey also said that cybersecurity issues need to be seen as an enterprise risk management problem rather than an IT issue. Only 8 percent of survey respondents said their boards had a risk committee that is separate from the audit committee.

Jody Westby, the survey’s lead author said:

There are real fiduciary duty and oversight issues involved here. There is a clear duty to protect the assets of a company, and today, most corporate assets are digital. We also found that boards were only involved about 31 percent of the time in assessment of risk related to IT or personal data – the data that triggers security breach notification laws.

To help company boards improve corporate governance of privacy and security, the survey recommends broad operational changes from establishing a board risk committee separate from the audit committee to reviewing existing top-level policies to creating a culture of security and respect for privacy.