Corporate Directors Have Cybersecurity on the Brain

Corporate Directors Have Cybersecurity on the Brain iStock

Corporate directors tend to be busy people with plenty of problems to mull over. The latest iteration of a survey from NYSE Governance Services, in association with executive search and leadership consulting firm Spencer Stuart, gets inside directors’ heads to pinpoint the most important and troubling of these issues.

The 2014 edition of the “What Directors Think” survey [PDF], which reflects data collected from nearly 600 directors around the country, found that many of them are thinking hard about cybersecurity. Knowledge of information technology was one of the top four attributes that respondents said they would look for when appointing their next new director—along with CEO and industry experience and financial expertise. Some 20 percent of directors surveyed reported they lacked confidence in their boards’ overall understanding of cybersecurity’s many facets.

Jean-Marc Levy, NYSE Euronext’s head of global issuer services, told that although cybersecurity has been an emerging concern for several years, in the last 12-24 months “it’s absolutely at the forefront of every single board of directors discussion that we have.”

According to Levy, the issue was front and center during NYSE Governance Services’ recent West Coast Boardroom Summit. Many directors at the summit were candid about their need for guidance on cybersecurity issues, said Levy. “Directors don’t even know what questions they should be asking,” he said.

Information technology and cybersecurity are part of a larger conversation more boards seem to be having about risk management. Of the survey’s respondents, 40 percent said there was room to improve their board’s knowledge and understanding of risk oversight. When asked how they could improve the ability of their boards to oversee risk, the most commonly cited solution, at around 44 percent, was including more key highlights and fewer details in management reports. The second most common response, at around 39 percent, was a need to better understand the board’s risk oversight role.

Levy said there’s still some debate as to how risk would best be evaluated on many boards. Some directors want to delegate risk management to a separate committee, while others maintain it’s better left as a full-board function. Levy has found that many directors are more comfortable discussing topics like business strategy or executive compensation than they are talking about risks like cybersecurity, so he believes corporate secretaries and general counsel have a role to play in guiding board-level discussions on risk management.

Of course, one of the problems with getting IT and cybersecurity risk experts on the board is that the rate of turnover for directors doesn’t happen at the speed expertise becomes needed on new topics. More than 50 percent of respondents in the survey said they thought it was important for good governance to get new blood on the board, but, in reality, turnover can be slow. In fact, the “Spencer Stuart Board Index 2013” [PDF] showed that the number of new board appointees fell by 23 percent between 2008 and 2012.

Two ways of encouraging more “refreshing” of the board’s membership—term limits and age ceilings—can be controversial. In the survey, only about 25 percent of directors said they believed term limits were effective, while around 49 percent said they thought age ceilings were effective. Levy said that whatever the differing feelings might be about these policies, the reality is that replacing members doesn’t guarantee that the new ones will be more helpful and independent. “Really, the consensus from the boards, as well as from advisers and experts, is: it’s not a silver bullet,” he said.

Levy explained that rather than following a formulaic approach, like enforcing term or age limits, many corporate boards are working to keep directors sharp by focusing on the member evaluation process. This is an area where Levy said corporate secretaries and general counsel are in a good position to help, as they are in tune with both board member and company needs. “We find that the corporate secretary and general counsel are incredibly important in helping to put in place processes that are rigorous, but at the same time, those that boards of directors feel are safe,” Levy said.

Practice Area(s):