Anyone who takes part in a corporate board of directors meeting these days is likely to hear conversations about cyber security and regulatory compliance. These areas have become so critical to the risk management strategies of organizations that they can’t be ignored by the very people responsible for guiding businesses to success in their markets.
That doesn’t mean boards are having an easy time dealing with the challenges of security and compliance. A recent report from professional services firm BDO USA analyzed how corporate boards are navigating new data privacy regulations, digital transformation and cyber security risks, and it shows that they are spending more time dealing with security-related issues.
As part of the research, the firm’s Corporate Governance Practice, a business advisor to corporate boards, conducted a survey of 145 corporate directors of public company boards in July and August 2018. One of the key findings was that organizations are investing in digital technology, but lack strategy.
About one third of the directors (34%) said their organization has no digital transformation strategy in place and does not intend to develop one in the near future. That in itself is hard to fathom, given the overall push toward digital transformation that’s underway in so many industries.
As the report pointed out, “digital transformation initiatives have transcended beyond the sole domain of IT to involve the entire organization, elevating digital strategy to the top of the board agenda.”
Meanwhile, cyber security threats are increasingly capturing the attention of boards, according to the report. While a majority of the companies surveyed (79%) said they have avoided a data breach or incident in the past two years, public company boards are becoming more involved in cyber oversight. More than 70% of board members said their board is more involved with cyber security now than they were a year ago.
Nearly one third of board members (32%) said they are briefed at least quarterly on cyber security, while the same percentage are briefed annually. It’s a bit alarming that 9% of boards are not being briefed on cyber security at all, however.
This is the fifth consecutive year that board members have reported increases in time and dollars devoted to cyber security, the report said. In terms of capital investments, three quarters of the directors said their organization has increased its investment in cyber security during the past 12 months.
Also good news from a security standpoint, 79% of the companies now have an incident response plan in place to respond to potential cyber attacks.
Regulation is driving cyber security activities for public company boards, the report said. In the wake of this year’s U.S. Security and Exchange Commission (SEC) interpretive guidance to assist public companies in preparing disclosures about cyber security risks and incidents, more than half of board directors indicate their company has conducted readiness testing of cyber security risk management programs and implemented new cyber security risk management policies or procedures.
Still, boards lack awareness of the impact of the European Union’s General Data Protection Regulation (GDPR), according to the study. About 70% of board directors said their organization is not impacted by GDPR, which went into effect in May 2018. This might reflect a misunderstanding surrounding many aspects of the new regulation, the report said, since data privacy experts think the number of organizations affected is far greater.
Among respondents who said their company is impacted by GDPR, 78% said their organization has conducted a GDPR gap assessment and another 78% have implemented or updated privacy notices. Furthermore, 43% have updated their breach notification policies.
Just under one third of the board directors (32%) report increasing data privacy budgets, while another third said they have appointed a data protection officer, a requirement under the GDPR for organizations that engage in certain types of data processing activities.
The survey results show that new regulations and emerging risks are driving boards to reevaluate corporate strategy and investments. Most directors indicated that their boards are working to better understand data privacy regulations.
Developing a strategic path for an organization's digital transformation and devoting company resources and board oversight to cyber security and data privacy “are now necessities for businesses to survive and thrive during this time of intense change,” noted Amy Rojik, national assurance partner and director of BDO’s Center for Corporate Governance and Financial Reporting.
BDO's most recent cyber governance survey shows how public company board directors increasingly recognize the competitive advantages of embracing a digital transformation strategy and mitigating vulnerabilities related to cyber risk, Rojik said.