McKinsey surveyed 23 financial services firms about how their Board of Directors are engaging on cybersecurity. The survey focused on three areas: Oversight, Structure, and Awareness and understanding. Key findings include:
- Oversight: 95% of Board committees discuss cyber risks 4x or more per year, covering topics such as threat updates, relevant breach case studies, and the impact of regulatory changes. The focus on cybersecurity has increased dramatically in recent years, as McKinsey found in 2017 that only 25% of all companies addressed cybersecurity with their Board’s more than once per year. 65% of Boards have at least one director with cybersecurity or technology risk expertise.
- Structure: While risk and audit committees generally retain ultimate oversight, 22% of respondents now have a technology committee to oversee cybersecurity.
- Awareness and understanding: This area is still evolving, as while 65% of firms present an integrated report on cybersecurity and operational resilience, cybersecurity reporting to the Board level lacks the standardized metrics and language that other key reporting lines such as sales, operational and financial areas have. In addition, only 48% of respondents include the Board in cybersecurity tabletop exercises.
The increased engagement by Boards in cybersecurity is clearly trending in the right direction, but from a very low base, as McKinsey’s 2017 finding of ‘one meeting with cybersecurity on the agenda per year’ showed. There are still many fundamental changes that need to be made in cybersecurity focus, such as explicitly tying executive compensation to cybersecurity performance, something that few companies currently do. One of the main roadblocks standing in the way of this is the lack of widely recognized standardized metrics to measure whether companies are doing a good, average or poor job (i.e. cyber governance), in contrast to standardized financial metrics such as sales or EPS growth.
Some companies use crude measures such as whether or not a company experiences a breach, which is a poor primary metric since:
- the impact of different breaches varies massively depending on type (enormous difference between a minor data leak and a days-long ransomware attack)
- the vast majority of actual breaches—including the most financially damaging, ransomware attacks — go undetected by companies altogether. This is something no other cyber ratings firm takes into account.
Cyberhedge provides a transparent, real-time way of judging actual performance with a completely external view through our Cyber Governance Ratings.
Finally, the fact that Board’s participate in Tabletop exercises at only half of these firms is problematic, in part because these exercises can quicken incident response time to a cyber breach. This is especially critical in a ransomware attack, as Cyberhedge research clearly shows that ransomware-driven operational downtime can wreck company financials for several months post-breach and leads to +15% average share price declines 3 months after the event.
The increase in the number of companies with cyber expertise on their boards is encouraging, but considering the size of financial risks, most boards are still outsourcing too much of the responsibility for actively managing it — to the detriment of their shareholders, customers and partners.