Most directors insist their board is increasingly engaged in tackling cyber-threats, while a number continue not to receive briefings on the topic or their company lacks a plan in case of attack, according to new research.
Boards are under increasing pressure to make sure their firm is as well prepared as possible to thwart and respond to cyber-attacks. Equifax’s Richard Smith retired as chair and CEO last month, less than three weeks after the company announced a cyber-breach potentially affecting around 143 million US consumers. ‘I have been completely dedicated to making this right,’ Smith says in a statement on his retirement. ‘At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.’
At the same time, non-executive chair Mark Feidler said the board had formed a special committee to focus on the issues arising from the breach and to ‘ensure that all appropriate actions are taken.’
Seventy-nine percent of directors polled by BDO USA for the new report say their board is more involved with cyber-security than it was 12 months ago. This has ticked up just 5 percentage points since last year, but is up significantly from the 59 percent of directors who reported growing involvement in the 2014 edition of the survey.
Similarly, 78 percent of respondents say they have increased company investments during the past year to defend against cyber-attacks, with an average budget expansion of 19 percent. This is a little lower than last year’s score of 80 percent but again up markedly from 2014, when 55 percent of directors reported increased investment.
Sixty-one percent of corporate directors report that their company has a cyber-breach/incident response plan in place, up from less than half (45 percent) in 2015. But 16 percent of respondents say their firm still does not have a plan, and 23 percent are not sure whether they have one.
BDO USA polled 140 directors of public company boards in August.
In terms of the frequency with which boards are briefed on cyber-security matters, 36 percent say it is on an annual basis, slightly lower than the 37 percent reporting in the 2016 and 2015 surveys that they got an annual update. Thirty-four percent say they receive briefings at least quarterly, a figure that is lower than the 42 percent last year and about the same as in 2015.
The number not receiving any briefings is lower than in previous years – but almost one in 10 survey respondents (9 percent) are still not having these updates.
SHARING INFO
‘Sharing information gleaned from cyber-attacks with external entities is a practice that needs to become more prevalent for the safety of critical infrastructure and national security,’ the report’s authors write, noting that the US government has informed companies of ways in which they can contact relevant federal agencies about cyber-incidents.
Despite this, only 25 percent of directors – close to last year’s score of 27 percent – say they share information externally that they gather from an incident. Twenty-four percent say they do not share the information with anyone and roughly half (51 percent) are not sure whether they do or not.
Among those that do share information on their cyber-attacks, 86 percent do so with government agencies such as the FBI or US Department of Homeland Security (DHS) and 47 percent share with information-sharing and analysis centers (Isacs). Just 8 percent share with competitors.
‘For the second consecutive year, the survey reveals a continued vulnerability in cyber-security: the ongoing failure of companies to share information they’ve gathered from cyber-attacks with federal agencies, Isacs or competitors,’ says John Riggi, managing director of cyber-security and financial crimes at BDO USA. ‘Sharing information gleaned from cyber-attacks is key to defeating hackers, yet just a quarter of directors say their company is sharing that information externally. This behavior needs to change if corporate America is to prevail in the cyber-wars.’
‘In certain situations concerning cyber-security, the FBI and DHS could truly be viewed as a corporate director’s two best friends,’ the report authors write. Relationships with law enforcement and other key advisers should be cultivated before they are needed to avoid or mitigate a cyber-breach, they advise. Sharing information can help companies better protect themselves from attacks, they add.