NightDragon, Diligent Report Finds Gap in Cyber Experience in S&P500 Board Rooms

Businesses are spending more money every year trying to defend their digital environment from attackers. In fact, as other areas of the business face tighter budgets this year, 48% of CEOs planned to increase investment in cybersecurity and data privacy, according to a survey from advisory firm PricewaterhouseCoopers. Meanwhile, cybersecurity remains the most challenging area of oversight for corporate leaders, according to a recent survey of public company directors by Diligent Institute and Corporate Board Member.

There’s a good reason for that. It’s clear the digital revolution is only gaining steam, increasing the risk surface every day for attackers to target. Technology now underpins every aspect of our lives and any threat to that digital infrastructure could mean major disruptions for millions of people – if not more catastrophic consequences.

We’re already beginning to see the impacts of this on our personal and corporate lives, including attacks targeting financial organizations, hospitals, critical infrastructure and more. As previously mentioned, these attacks culminate in estimated global losses of around $10.5 trillion by 2025, as well as drive further ramifications to ongoing operations and business reputation.

As a result, cybersecurity is increasingly becoming a discussion at the board level and part of the overall company compliance and risk strategy. And now, as AI and other new innovations are poised to only further amplify the power of cyber incidents, the federal government is getting involved. The Biden administration is in the midst of mandating that companies quickly disclose breaches and publicize risk mitigation strategies as part of its annual regulatory reporting requirements and the U.S. Securities and Exchange Commission has adopted new regulations around the topic, among other efforts.

With so much at stake, NightDragon and Diligent analyzed the leadership composition of the Boards of the S&P 500, with a goal to determine if there was a potential gap in education and expertise at the nation’s largest and most influential companies when it comes to mitigating cyber risk and guiding strategies from the top down. The report and its findings are endorsed by industry leaders including the New York Stock Exchange, Glass Lewis, ISC2, Spencer Stuart and Moody’s.

Our research confirms that, despite the rising risk and cost of cyberattacks, 88% of S&P 500 companies do not currently have an executive with specialized cybersecurity experience on their board to guide them on risk mitigation efforts, and 57% lack similar specialized experience in other technology categories. Boards have a direct responsibility to shareholders to mitigate risk to the organization, yet, as the data shows, many do not possess the background, education, or training to fluently “speak the language of cybersecurity” and adequately combat cyber risk.

“As cyberattacks continue to rise and cause significant impacts to organizations in every industry, it has never been more important for our nation’s organizations to incorporate cybersecurity awareness at every level of the organization. It is the responsibility of every S&P 500 organization – as well as every other business in the world – to make sure they are educating themselves and either adding or consulting cybersecurity experts, or risk leaving themselves vulnerable to attack.” 

Dave DeWalt, Founder and CEO at NightDragon and member of many boards.

While previous role experience is not the only measure of expertise on the topic of cybersecurity, these findings show that there is room to grow for Boards of Directors when it comes to educating themselves and incorporating the right expertise as part of their overall governance strategies.