Knowledge center
Blog Home
Equilar Blog
On Guard, Part 3: Oversight of Cybersecurity by Industry
January 18, 2016
Cybersecurity strategy will be a crucial corporate risk and governance issue for 2016 and beyond. Customers
care about their private data, enterprises value their intellectual property and investors seek assurance
that their portfolio companies have taken steps to mitigate the risk of a data breach. Even legislators are
getting in on the cybersecurity act, with two senators recently introducing a
bill
that would require public company boards to disclose directors with cybersecurity expertise. Given that the
eventuality of cyber-attacks is considered more and more a “when” and not simply an “if,” companies must decide
how to address cybersecurity strategy and assign oversight accordingly.
In previous installments in this series on cybersecurity in the corporate environment, Equilar analyzed the
cybersecurity backgrounds of CEOs
and board oversight by
committee in the S&P 500.
The risks of data breaches, the accelerating frequency and
magnitude of cyber-attacks and the effect on shareholder value and enterprise reputation became readily
apparent in those analyses.
Since data comes in many forms, we studied whether certain types of companies disclose board oversight of
cybersecurity more than others. For this final part of our series, we analyzed the 35 S&P 500 companies that
disclosed board oversight of cybersecurity, looking both at the total number of companies by industry as well
as the percentage of companies in each industry that included such a disclosure in their public filings.
Perhaps unsurprisingly, the retail industry, with five, and business services and software industries, with
four each, led the S&P 500 by number of companies disclosing board oversight of cybersecurity. Companies in
these industries are particularly interested in protecting both sensitive and valuable customer and enterprise
data. On the other end of the spectrum—and somewhat ironically—only one of the 21 S&P 500 companies in the
insurance industry disclosed board oversight of cybersecurity.
Despite the fact that retail and business services were among the leaders in sheer numbers, these companies
represented just 16.1% and 13.8% of their industry peers, respectively. And even though just one company in
the computer hardware industry disclosed such information—which is surprising at face value—there are only
two such companies in the S&P 500, meaning 50% of the industry is included in our study. Similarly, four out
of 12 software companies shared cybersecurity oversight by their directors, accounting for 33% of all S&P 500
companies included in that industry classification.
As cybersecurity risk and oversight find a toehold in the corporate governance universe, some companies choose
to both engage with their shareholders on the topic and disclose their outreach in company filings. In its
2015 proxy statement (p. 8), not only did Pfizer explain its shareholder outreach program, but disclosed
the board’s oversight of cybersecurity as an agenda item to discuss with investors. With technical innovation and
the blossoming of big-data ahead, one can expect governance leaders to meet the challenges of both mitigating
cyber-risk and reassuring through disclosure that valuable information is protected and safe. At this point,
however, that trend is still in its infancy, with just 7% of the S&P 500 communicating its oversight of
cybersecurity risk.
The data in this article is powered by Equilar’s BoardEdge, a new data platform that features detailed information
on more than 135,000 U.S. board members. BoardEdge not only includes more than a dozen categories about each board
member’s background and leadership experience, but also features a network tool clearly displaying how board members
are connected to each other. This last feature—connection—is unavailable in the marketplace, and it provides
investors and companies a direct application of the data for board assessment, planning and networking.
For more information on BoardEdge, or to request a demo, click here.
For more information on Equilar’s research and data analysis, please contact Dan Marcec, Director of Content &
Marketing Communications at dmarcec@equilar.com. Matthew Goforth,
research and content specialist, authored this article.