December 14, 2015
Potentially valuable data underpins the next wave of innovative products, spanning a spectrum from customer credit card and social security numbers to corporate intellectual property. While data breaches at prominent retailers, healthcare providers and financial institutions draw headlines, a debate over the true cost of data breaches continues.
Indeed, investors seem largely unfazed by data breaches. High-profile announcements at companies such as eBay, Target, JPMorgan Chase, The Home Depot and Adobe Systems yielded acute stock drops immediately, but in most cases each was followed by near-term recovery.
Meanwhile, real losses incurred in litigation costs, reputational standing, identify theft, long-term innovation, and ultimately, sales, measure mid- and long-term diminution of value. According to a study by Javelin Strategy & Research, up to one-third of consumers will shop elsewhere if a breach occurs at a retailer, a lesson learned by Target in 2013 when 4th quarter profits fell nearly 50% after 70 million records were stolen.
While the market sorts out the implications of data breaches, the simple fact remains that oversight of cybersecurity risk is a strategic and operational reality breaching company boardrooms. We previously highlighted CEOs and boards of S&P 500 companies with relevant cybersecurity experience and explicit oversight of cybersecurity respectively. At the board level, only 7% of S&P 500 companies specifically disclose cybersecurity oversight as a committee role in their proxies, and of those 35 companies, only five task cybersecurity oversight to their technology committee. If cybersecurity responsibility doesn’t live within technology committees—where logic assumes it may—then who is driving oversight of cyber-risk?
Interestingly, no S&P 500 board incorporates a cybersecurity committee specifically to address cyber threats. According to Equilar’s analysis—after excluding the five technology committees—cybersecurity oversight in the S&P 500 is assigned to 20 audit committees, four compliance & regulatory committees, two nominating & governance committees and four committees otherwise designated. Given the audit committee’s charter to mitigate risk while optimizing business objectives, this finding may come as little surprise to some.
Of those boards that assign cybersecurity oversight to their audit committees, two represent companies where data breaches occurred in the last two years. After hackers stole 36 million records from Adobe Systems in 2013, the company addressed oversight of cybersecurity by the audit committee in its 2015 proxy (p.11).
In 2014, 56 million records were stolen from The Home Depot in a cyber-attack focused on the acquisition of customer credit and debit card information. Home Depot not only disclosed the audit committee’s oversight of cyber-risk, but also addressed the data breach directly in its 2015 proxy (pp.5-6).
Since data comes in so many forms, the question remains whether proxy-disclosed cybersecurity oversight differs by industry. And moreover, in an age of increasing engagement with shareholders, boards must ask themselves how and when to place cybersecurity oversight on their outreach agendas. To find out, stay tuned for part three of our series on cybersecurity oversight in the S&P 500.
The data in this article is powered by Equilar’s BoardEdge, a new data platform that features detailed information on more than 135,000 U.S. board members. BoardEdge not only includes more than a dozen categories about each board member’s background and leadership experience, but also features a network tool clearly displaying how board members are connected to each other. This last feature—connection—is unavailable in the marketplace, and it provides investors and companies a direct application of the data for board assessment, planning and networking.
For more information on BoardEdge, or to request a demo, click here.
For more information on Equilar’s research and data analysis, please contact Dan Marcec, Director of Content & Marketing Communications at firstname.lastname@example.org.