According to a new report from Diligent and Bitsight, only 5% of companies have a cyber expert on their board of directors, despite stronger cybersecurity combined with significantly better financial performance.
There is significant variation between countries in the proportion of organizations with a cyber expert on the board, ranging from 10% in France to just 1% in Canada.
The study observes a significant improvement in cybersecurity performance when these experts are integrated into specialized risk committees.
Companies with cyber experts on a specialist audit or risk committee achieved an average security performance score of 700 out of a maximum of 900, compared to a score of 580 for companies without a cyber expert in these committees.
The median security score for companies with specialized committees was 730 and for those with only audit committees, 720. This compares to a score of 660 for companies without both types of committees.
The countries where companies were most likely to have specialist risk committees were Australia (90%), the UK (48%), Canada (45%) and France (38%).
This correlates strongly with the overall average safety rating by country, with Canada, the United States, Australia, the United Kingdom and France making up the top five out of the seven countries analyzed.
Security scores are based on Bitsight measures of organizations’ ability to prevent cybersecurity incidents over time, which range from 250 to 900.
Data is collected across 23 risk vectors, including botnet infections, patch cadence, mobile app security, and open ports.
Stronger Cybersecurity Equals Better Financial Performance
Companies with an “advanced” security rating (score of 740 to 900) had significantly better financial performance than companies with a “basic” security rating (score of 250 to 630).
Over a three-year period, the average total shareholder return (TSR) for companies with an advanced securities performance rating was 67%, compared to 14% for companies with a basic rating. , or more than four times more.
Over five years, companies in the advanced performance range have an average TSR of 71%, while those in the basic performance range have an average TSR of 37%.
The report outlines several potential factors that could explain this correlation, including:
- Some of the companies with high cybersecurity scores operate in high-growth industries, like technology.
- Companies in the advanced security performance category also have strong governance fundamentals.
Keith Fenner, senior vice president and general manager EMEA at Diligent, said the findings highlight the need for boards and business leaders to strengthen their cyber risk skills, with this area now a key indicator of financial performance.
“These results show that cybersecurity is not just an IT problem: it is a business risk that has a significant impact on the short-term performance and long-term health of a business, and which management and the board of directors need to be aware of. ” he explained.
Cybersecurity performance by sector
THE report found that highly regulated industries tended to outperform other sectors in cybersecurity performance measures.
Healthcare had the highest average security score, followed by energy, utilities and financial services.
The financial sector has the highest proportion of organizations in the advanced security performance category, at 33%. This is followed by healthcare (18%), industrials (10%), information technology (9%) and consumer discretionary (9%).