Report: Cybersecurity Remains a Top Company Threat for Directors

December 6, 2018

Only 52% of directors, however, are confident they sufficiently understand cyber risks to provide effective oversight.

By Eve Tahmincioglu

With news of yet another cybersecurity breach, this time Marriott International Inc., risk oversight by directors has never been more important.

While the majority of directors say their understanding of cybersecurity issues has improved in the last two years, only 52% are “confident that they sufficiently understand cyber risks to provide effective cyber-risk oversight,” according to an annual report by the National Association of Corporate Directors, NACD, released Thursday. (The report surveyed more than 500 public company directors and was conducted June through August 2018 by NACD, with additional board-governance analysis of the Russell 3000 from Main Data Group, a corporate governance data provider.)

The findings also didn’t bode well for impending hacks. Only 50% of those directors surveyed reported they were “confident” their companies are secured against a cyber attack.

“Although a majority of boards are comfortable with their understanding of cyber risk, they continue to regard it as an area for improvement and indicate that cyber threats will have a major impact on their companies in the next 12 months,” the report found.

Board knowledge, the authors write, can grow stale because threats are limitless and constantly mutating.

In the case of Marriott, some accounts of the hack point to the cyber risks that came with Starwood Hotel & Resorts, which Marriott bought in 2016. According to a Bloomberg article, “the acquisition was fraught from the beginning, with Starwood disclosing a security breach just days after the deal was announced.”

An article in CEO Dive stated that: “when an acquisition takes place, security continuity isn't always a part of the contract. Now, the cost of Starwood is much more than Marriott initially bargained for.”

Indeed, major transactions should get increased attention, but according to the NACD study boards may be dropping the ball on oversight in this regard.

Only 30% of directors polled said they evaluated the cybersecurity consequences of decisions such as mergers and acquisitions, new product development, and new market entries.

Despite the troubling findings, directors are increasingly optimistic about their grasp of cyber issues.

The survey found:

  • 81% believe that their boards’ understanding of cyber risks has improved over the last two years
  • And nearly 60% believe their boards collectively know enough about cyber risk to provide effective oversight.

The cyber confidence increase is partly because many directors are investing in more self-education to better understand cyber issues, says Friso van der Oord, the NACD’s director of research. “Boards are now treating cybersecurity as a true organizational risk,” he adds, “not just an IT conversation.”

Beyond cyber disruptions, the survey also looked at which technologies boards saw at the biggest disruptors. Artificial intelligence topped the list.

  • Directors rate artificial intelligence as the biggest technology disruptor (47%), but also regard it as the biggest business enabler (49%) likely to benefit their organizations.
  • Eighty-two percent of directors surveyed report that disruptive risks are much or moderately more important than they were just five years ago.

Going forward, boards are focused on improving their monitoring of strategy and risk.

The report found that “directors point to monitoring of strategy execution (68%) and understanding of risks and opportunities (68%) affecting company performance as the top two areas for board improvement in the next 12 months.”