How to develop a cyber-competent boardroom

In 2003, only 21% of America’s S&P 500 corporate boards reported having a financial expert in their director ranks. Thanks to the 2002 legislation known as Sarbanes-Oxley Act, that number is now 100%¹. This makes a lot of sense, considering the need for financial reporting integrity in capital markets. In hindsight, it would be hard to argue against having this kind of foundational competency on any corporate board.

Let's apply this lesson to cybersecurity

As the risks and costs of cyberattacks escalate, sometimes threatening organizations' ability to operate, corporate boards are now at a similar point regarding the need for cybersecurity expertise. This is because weak or non-existent cybersecurity governance threatens the global growth of the digital economy, which the World Economic Forum estimates will power 60% of global GDP by 2022².

Cybercrime has been described as the “greatest transfer of economic wealth in history³,” with projections of costs that could compound 15% per year, potentially reaching US$10.5 trillion annually by 2025. The lesson is clear: Boardroom cyber leadership and effective director cyber risk competencies are becoming foundational to help reducing risk and protecting profits.  And without question, these risks are increasing.

Sophisticated attackers, for example, are working to exploit the systemic risk from broadly expanding digital systems. This means threats can rapidly spread across business partners and connected systems, with escalating damage. Not surprisingly, the SEC, other regulators and the courts are also increasing their scrutiny and their demands for accountability—including the role of the board in cyber risk. 

Good things happened in 2002

That's when America’s regulators passed the Bill known as Sarbanes-Oxley, making the boardroom a critical control point in financial reporting. Flashing forward to 2021, the boardroom is now a vital cybersecurity control point. This is a responsibility that cannot and should not be 'handed down.' It is too important and must be handled from the top down. Unfortunately, this approach is missing altogether or severely underdeveloped in far too many boardrooms. 

The equity, litigation, and business risks that are driven by cyber risk require that cybersecurity governance be a core boardroom competency. While there isn’t (yet) legislation similar to Sarbanes-Oxley that would force every U.S. public company corporate board to add this skill to their director ranks, the cybersecurity crisis facing companies worldwide should nonetheless warrant high priority boardroom action on this issue.

Fortunately, every boardroom can make significant short-term progress toward developing a cyber competent corporate board. These steps involve developing the general cybersecurity competencies of all corporate directors and adding cybersecurity expertise to the boardroom. Leading companies such as FedEx, PNC, Hasbro and others are already doing this. 

It's important to note that America’s regulators see the value of boardrooms having corporate directors who have deep cybersecurity expertise. Proposed Senate Bill S. 808, the “Cybersecurity Disclosure Act of 2021⁴,” has been introduced for the fourth consecutive U.S. Congress. The Bill would impose a cybersecurity expertise disclosure requirement on America’s listed company boardrooms. While not guaranteed to become law, it shows that America’s regulators see boardroom cybersecurity competencies as important.   

If passed, Bill S. 808 would also require companies to add cybersecurity experts to their boardrooms. Fortunately, there are boardroom-ready cybersecurity executives ready to step up and more are becoming interested in boardroom service as demand increases. Having deep cyber risk expertise on a board serves the management team well, the full board and investor interests. 

Moreover, cybersecurity executives are used to working with organization-wide teams. They bring a broader digital business understanding and perspective to the boardroom; let's not forget how CISOs proved their value during the height of the COVID-19 crisis by keeping employees securely connected. The business and core cyber risk competencies that CISOs possess translate effectively into the needs of the modern corporate boardroom. Adding a cybersecurity expert to the corporate boardroom would significantly strengthen any boardroom as a critical cybersecurity control point. As some leading boards have demonstrated, there's no reason to wait for regulatory intervention.

Also critical: annual training on cyber risk for the board
Every corporate director should receive annual cyber risk training. This is a basic director competency in a digital world, and every board needs to set a strong cyber tone at the top. 

Disclosure of director training on cyber risk is already an emerging practice worldwide.

There are three parts to an effective annual corporate director training program on cyber risk. 

First, every corporate director needs to understand systemic cyber risk. Systemic risk, a new dimension of enterprise risk, is a product of the complex digital business systems that now power organizations worldwide. It's essential to understand how systemic risk interacts with cyber risk as a new threat dynamic. 

Corporate directors also should stay current on the latest issues in the changing threat landscape and emerging cyber security tactics. 

Finally, because practices around cyber regulations, disclosure and governance are continuing to emerge, corporate directors should remain current on these developments to integrate them into their approach to digital and cyber risk governance. 

Effective cyber security is a business priority ...
... and a corporate director responsibility. Every corporate boardroom and director is a critical control point in defending against material risks. As quickly as possible, organizations should develop a highly cyber competent corporate boardroom to govern this risk effectively, one director at a time. 

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.

This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.