Skip to main content
Sep 25, 2023

Boards lagging on cyber-security expertise, study finds

Investors increasingly turning attention to cyber-risk management, strategy and governance practices

The number of directors with cyber-security expertise at S&P 500 companies remains low, with only 12 percent of firms having a cyber-security expert on their board, according to new research from the latest Diligent and NightDragon State of Board of Directors Cyber Awareness Report.

The research finds that an additional 31 percent of these companies have some level of technology expertise on their boards, but there is a gap in cyber-specific education and expertise at the highest level of large US companies.  

It also shows that 52 percent of the biggest companies in the US have at least one board member with some connection to the cyber-world, though not any direct connection or hands-on experience in cyber-security or a technology role.

The report assesses the average cyber-security expertise at US large caps by reviewing the board and C-suite compositions of S&P 500 firms and categorizing them based on specific criteria, including previous roles and cyber-experience.

The findings come nearly two months since the SEC voted to approve cyber-security rules requiring businesses to disclose material incidents that affect them, but that do not require companies to report on the level of cyber-security expertise on the board. Due to the material negative impact cyber-attacks have on shareholder value, however, experts say board oversight and cyber-security risk is becoming increasingly important.

‘With the new SEC cyber-security rules going into effect in 2024, investors will likely look even more closely at companies’ risk-management, strategy and governance practices on this critically important issue,’ says Cheryl Gustitus, chief strategy officer at Glass Lewis, one of the firms that also collaborated on the report.

According to Brian Stafford, Diligent’s president and CEO, it’s time for board members to build up cyber-knowledge. ‘The reality is that cyber-security is a growing risk across all industries and businesses,’ he says. ‘Boards of directors have a growing responsibility to build their competence around cyber-risk so they can implement more effective governance strategies and have more meaningful conversations with management.’

Dave DeWalt, founder and CEO at NightDragon, echoes Stafford’s message and calls for businesses to step up their education. ‘As cyber-attacks continue to rise and cause significant impacts to organizations in every industry, it has never been more important for our nation’s organizations to incorporate cyber-security awareness at every level of the organization,’ he says.

‘It is the responsibility of every S&P 500 organization – as well as every other business in the world – to make sure they are educating themselves and either adding or consulting cyber-security experts, or risk leaving themselves vulnerable to attack.’