January 18, 2016
Cybersecurity strategy will be a crucial corporate risk and governance issue for 2016 and beyond. Customers care about their private data, enterprises value their intellectual property and investors seek assurance that their portfolio companies have taken steps to mitigate the risk of a data breach. Even legislators are getting in on the cybersecurity act, with two senators recently introducing a bill that would require public company boards to disclose directors with cybersecurity expertise. Given that the eventuality of cyber-attacks is considered more and more a “when” and not simply an “if,” companies must decide how to address cybersecurity strategy and assign oversight accordingly.
In previous installments in this series on cybersecurity in the corporate environment, Equilar analyzed the cybersecurity backgrounds of CEOs and board oversight by committee in the S&P 500. The risks of data breaches, the accelerating frequency and magnitude of cyber-attacks and the effect on shareholder value and enterprise reputation became readily apparent in those analyses.
Since data comes in many forms, we studied whether certain types of companies disclose board oversight of cybersecurity more than others. For this final part of our series, we analyzed the 35 S&P 500 companies that disclosed board oversight of cybersecurity, looking both at the total number of companies by industry as well as the percentage of companies in each industry that included such a disclosure in their public filings.
Perhaps unsurprisingly, the retail industry, with five, and business services and software industries, with four each, led the S&P 500 by number of companies disclosing board oversight of cybersecurity. Companies in these industries are particularly interested in protecting both sensitive and valuable customer and enterprise data. On the other end of the spectrum—and somewhat ironically—only one of the 21 S&P 500 companies in the insurance industry disclosed board oversight of cybersecurity.
Despite the fact that retail and business services were among the leaders in sheer numbers, these companies represented just 16.1% and 13.8% of their industry peers, respectively. And even though just one company in the computer hardware industry disclosed such information—which is surprising at face value—there are only two such companies in the S&P 500, meaning 50% of the industry is included in our study. Similarly, four out of 12 software companies shared cybersecurity oversight by their directors, accounting for 33% of all S&P 500 companies included in that industry classification.
As cybersecurity risk and oversight find a toehold in the corporate governance universe, some companies choose to both engage with their shareholders on the topic and disclose their outreach in company filings. In its 2015 proxy statement (p. 8), not only did Pfizer explain its shareholder outreach program, but disclosed the board’s oversight of cybersecurity as an agenda item to discuss with investors. With technical innovation and the blossoming of big-data ahead, one can expect governance leaders to meet the challenges of both mitigating cyber-risk and reassuring through disclosure that valuable information is protected and safe. At this point, however, that trend is still in its infancy, with just 7% of the S&P 500 communicating its oversight of cybersecurity risk.
The data in this article is powered by Equilar’s BoardEdge, a new data platform that features detailed information on more than 135,000 U.S. board members. BoardEdge not only includes more than a dozen categories about each board member’s background and leadership experience, but also features a network tool clearly displaying how board members are connected to each other. This last feature—connection—is unavailable in the marketplace, and it provides investors and companies a direct application of the data for board assessment, planning and networking.
For more information on BoardEdge, or to request a demo, click here.
For more information on Equilar’s research and data analysis, please contact Dan Marcec, Director of Content & Marketing Communications at firstname.lastname@example.org. Matthew Goforth, research and content specialist, authored this article.