August 10, 2017
It’s no secret that cybersecurity has become a highly desirable skill that boards now seek when appointing a new member. In an age where shareholder scrutiny around board composition has heated up, investors want to be sure that a board is “fit for purpose,” and has the right people in place to push forward board strategy.
Unfortunately, it is a difficult task to precisely identify which directors have such expertise from public filings without digging deep into individual director bios, or by taking the company’s word for it. Board skills matrices are one way in which some companies have chosen to clarify the skills each director brings to their board, including information security expertise. In order to glean observations for what types of cybersecurity disclosures are out there, Equilar conducted a study of these visualizations of board skills in proxy statements.
Among the 425 companies in the Equilar database that included board matrices, just 20 firms disclosed cybersecurity expertise. Those that did had a comparably higher median market cap—more than $10 billion for the companies with cyber disclosures vs. about $2.5 billion for those without. Meanwhile, the median number of employees at firms disclosing cyber security expertise was more than two times the median number of employees at firms which did not mention said expertise—8,200 employees at firms disclosing cyber expertise vs. 4,000 those that did not.
When comparing individual directors at these firms, there is only a marginal difference between directors with cybersecurity expertise and their colleagues at firms who made no such mention of such skills. The proportion of each group that is female or has CEO experience is nearly identical, only differing by a single percentage point in both cases. There is a slightly lower proportion of directors with cybersecurity experience who are considered “independent board members,” with 84% of cyber-expert directors in the study being independent vs. 88% of those without a boxed checked for cyber experience in a skills matrix.
One interesting point to note unrelated to cyber expertise: Of the 425 boards that disclosed skills matrices, about 25% of board seats were occupied by females, well above the overall representation among public companies at large, which stood at 16.2% according to the recent Equilar Gender Diversity Index (GDI).
When it comes to age and tenure there is some divergence. Generally, those who have cybersecurity experience are younger, having an average age of 60.3 years, while other directors in the study had an average age of 62.1 years. Median age followed a similar pattern, as directors disclosed as having cyber experience were on the whole younger. In addition, directors with cybersecurity expertise had an average tenure of 7.0 years while the other directors’ average tenure was 8.3 years. Again their median tenure followed a similar pattern.
While this data provides available analysis from public filings, examining board matrices are limited by the voluntary nature of board matrix disclosure. Acknowledging this limitation, it appears that larger companies, in terms of market capitalization and number of employees, are more likely than their smaller matrix-disclosing peers to include a director with cybersecurity expertise on their board. Among directors themselves, information security experts appear to be slightly younger and more recently appointed than their counterparts. While not counter to what one may expect, there will more than likely be a shift in these distributions as further focus is placed by more shareholders upon having oversight by the board in the area of cybersecurity—which also, of course, will depend on the level of disclosure provided by the companies themselves.
Bergen Smith, research analyst, authored this post. Please contact Dan Marcec, Director of Content & Communications, at email@example.com for more information on Equilar research and data analysis.
For information regarding the studies referenced in this post and to purchase the underlying datasets, or to learn more about Equilar Research Services, please contact the Equilar research team at firstname.lastname@example.org.
If you'd like, we can send our newsletters straight to your inbox.