How corporate boards are navigating cybersecurity risks and data privacy
Digital transformation initiatives have transcended beyond the sole domain of IT to involve the entire organization, elevating digital strategy to the top of the board agenda, according to BDO USA.
“Developing a strategic path for an organization’s digital transformation and devoting company resources and board oversight to cybersecurity and data privacy are now necessities for businesses to survive and thrive during this time of intense change,” said Amy Rojik, national assurance partner and director of BDO’s Center for Corporate Governance and Financial Reporting. “BDO’s Cyber Governance Survey this year reveals how public company board directors increasingly recognize the competitive advantages of embracing a digital transformation strategy and mitigating vulnerabilities related to cyber risk.”
In the world of business, the goals to disrupt, innovate, and transform have become daily pursuits of organizations. However, while organizations may be making ad-hoc investments in digital, many have not yet set a digital transformation strategy into motion.
- In fact, about one-in-three respondents (34 percent) say their organization has no digital transformation strategy currently and does not intend to develop one in the near future.
- Two-thirds (66 percent) of public company board directors say their organization either has a digital transformation strategy in place or is planning to develop one.
Malcolm Cohron, BDO USA’s national Digital Transformation Services leader, stated, “Digital transformation is predicated on the foresight to re-imagine business five years into the future and then work backwards. The board of directors plays a critical role in catalyzing strategic planning for the long-term view. As the pace of change accelerates and the timeline of ‘long-term’ is shrinking, organizations that live solely in the present are already operating in the past.”
With or without a concrete strategy in place, boards are taking steps to address technology disruption:
- Almost half (45 percent) have increased capital allocation toward digital initiatives and 29 percent have hired board members with relevant oversight skills.
- Another 16 percent of board directors have introduced new metrics for enhanced business insight.
- Meanwhile, nearly one-in-three respondents (29 percent) said they have not taken any of these steps to address technology disruption, which may point to organizations overlooking significant opportunities and underestimating critical risks to their business.
For all the doors digital innovation opens, it also invites a host of new threats in the form of increasingly sophisticated cyber attacks. Corporate board members must ensure their organization develops a complete picture of its cybersecurity risks and adopts a threat-based cybersecurity strategy in alignment with an existing enterprise risk management framework.
This is the fifth consecutive year that board members have reported increases in time and dollars devoted to cybersecurity. In terms of capital investments, 75 percent of directors say their organization has increased its investment in cybersecurity during the past 12 months.
- While about eight-in-ten (79 percent) companies surveyed claim they have avoided a data breach or incident in the past two years, public company boards are becoming more involved in cyber oversight. In fact, 72 percent of board members say the board is more involved with cybersecurity now than they were 12 months ago.
- Furthermore, eight-in-ten (79 percent) companies have an incident response plan in place to respond to potential cyber attacks.
With boards increasingly more involved in discussions around cybersecurity, especially due to regulatory changes and the potential for reputational damage, the cadence of reporting on cybersecurity is increasing.
- Close to one-third (32 percent) of board members saying they are briefed at least quarterly on cybersecurity, while 32 percent are briefed annually.
- However, nine percent of boards are not being briefed on cybersecurity at all.
In addition to precautionary measures, regulation is driving cybersecurity activity for public company boards, as well. In the wake of this year’s SEC interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents, more than half of board directors indicate their company has conducted readiness testing of cybersecurity risk management programs (58 percent) and implemented new cybersecurity risk management policies or procedures (53 percent).
- Additionally, about one-third of companies (34 percent) have conducted a formal audit of their cyber risk management program, but just seven percent have leveraged the Center for Audit Quality’s Cybersecurity Risk Management Oversight: A Tool for Board Members.
- Despite this, a quarter of organizations surveyed have taken no steps to address the SEC’s guidance on cyber disclosure obligations.
In recent years, the explosion of data has created new, unprecedented business challenges, including increased risk and cost. The GDPR, which went into effect on May 25, 2018, is the most significant overhaul to the EU’s data privacy policies in over twenty years. Among respondents who say they are impacted:
- Seventy-eight percent report their organization has conducted a GDPR gap assessment, another 78 percent have implemented or updated privacy notices, and 43 percent have updated their breach notification policies.
- Just under one-third (32 percent) report increasing data privacy budgets, while another one-third (32 percent) have appointed a Data Protection Officer, a requirement under the GDPR for organizations that engage in certain types of data processing activities.
Conversely, more than two-thirds of board directors (69 percent) said their company is not impacted by the GDPR. Chances are, many of them are wrong. More muted reported impact among corporate directors may reflect lack of awareness or misunderstanding that still underlies many aspects of this new regulation. Although we have seen an uptick in U.S. companies that have conducted GDPR assessments and updated privacy notices, there is still a lot of work to do. U.S. companies still seem to fall short of building a culture of privacy.