The rise of cyber attacks, both in frequency and severity, has propelled cyber risk to the top of boards' priorities as they continue facing modern-day challenges. With cyber threats growing more complex and widespread, boards are under increasing pressure to address cybersecurity risks effectively and protect their organizations' interests.
However, the approaches that boards take often vary.
This prompted Diligent Institute and Bitsight to dig a bit deeper and understand how boards address cyber risks and the outcomes of these approaches. What they found in their report was that companies with advanced cybersecurity performance create 372% higher shareholder return compared to their peers with basic cybersecurity performance.
Creating a higher shareholder return is not surprising, but seeing a percentage that big was a bit shocking to me. Companies in the New York State and Connecticut area, please take note that cybersecurity is a key indicator of financial performance.
Don’t believe it? The report goes into more detail:
The average total shareholder return for companies with advanced security performance ratings over a five-year and three-year period was 71% and 67%, respectively, while companies in the basic performance range delivered 37% and 14% TSR over the same time frames.
These findings suggest a direct link between robust cybersecurity and shareholder value. Investors clearly recognize the financial risks associated with cyber attacks, data breaches and operational disruptions. Companies that demonstrate a proactive approach to cybersecurity are likely perceived as more resilient and less susceptible to these costly events.
This perception translates into greater investor confidence.
Also, companies with a higher number of independent directors are more likely to have advanced security ratings. About 76% of directors on the boards of these companies with advanced security ratings are independent, compared to 66% in the basic security performance category.
Independent directors provide valuable insights and challenge management assumptions regarding cybersecurity investments. They ensure the board actively discusses cyber risks and holds management accountable for implementing effective security measures. A strong contingent of independent directors also fosters a culture of transparency around cybersecurity issues.
“These findings show that cybersecurity is not just an IT problem — it is an enterprise risk that has material impact on a company’s near-term performance and long-term health, and one that management and the board needs to be up to speed on,” said Dottie Schindlinger, Executive Director of the Diligent Institute.
To achieve better security performance, it is encouraged that companies, even those in New York State and Connecticut, must have a specialized risk committee or audit committee.
A dedicated risk committee with cybersecurity expertise delves deeper into cyber threats and vulnerabilities. They assess the company's risk profile, recommend tailored security measures and hold management accountable for implementation.
An audit committee with cybersecurity knowledge can scrutinize the company's cybersecurity practices, including incident response plans, employee training, and vendor security assessments. This independent oversight strengthens security posture and identifies potential weaknesses.
And a dedicated committee ensures cybersecurity is embedded within the company's overall strategy, not just an IT concern. They can advocate for resources, prioritize investments in security technologies and align security practices with business objectives.
Even in states with strong cybersecurity regulations, companies benefit from these committees. Regulations set a baseline, but a committee goes beyond compliance, proactively identifying and mitigating emerging threats. They can also foster a culture of security awareness within the organization.
The results of having specialized risk committees?
The median cybersecurity rating for companies with specialized risk committees is 730, compared to 720 for companies with just audit committees. And companies with cybersecurity experts on either audit or specialized risk committees achieve an average security performance rating of 700, whereas companies with cybersecurity experts on the general board, but not on either committee attain a security rating of 580.
"The research shows that market leading companies that prioritize cyber risk management outperform their peers,” said Derek Vadala, Chief Risk Officer, Bitsight. “This cannot be achieved without a strong understanding of cybersecurity performance and clear benchmarks shared across the executive team and board. The role of the CISO has shifted. Cyber risk is a key component of business performance."
The message of the report is quite clear: In the past, cybersecurity was seen as a way to minimize potential problems. Now, it's a critical factor that directly impacts a company's financial success.
To stay ahead, businesses need to make cybersecurity a core part of their overall strategy. This includes setting clear and ambitious goals for security improvements and getting full backing from leadership at the board level.
Edited by
Alex Passett