Survey: Cybersecurity Is Keeping More Corporate Directors Up At Night
While reputational risk is the No. 1 nonfinancial concern among corporate directors, cybersecurity/IT risk is gaining steam. In fact, both private companies and organizations with more than $1 billion in revenue felt they were more at risk from cybersecurity than reputation issues, according to the results of a new survey from accounting and advisory firm EisnerAmper LLP.
The firm’s fifth annual Board of Directors Survey: Concerns About Risks Confronting Boards – which was conducted during January, February, and March 2014 – measured the opinions of directors serving on the boards of more than 250 publicly traded, private, and not-for-profit companies across a variety of industries. Fifty-three percent of the survey group identified themselves as serving on audit committees.
Other than financial, corporate directors were asked to identify risks that concerned them the most. For the second-straight year, reputational risk was recognized as their primary concern (72 percent in 2014 versus 73 percent in 2013). However, cybersecurity/IT risk was second at 62 percent, up almost 10 percent from last year’s survey. Regulatory compliance risk – the third-most highly ranked concern – dropped 6 percentage points to 50 percent in 2014.
“The study found that with regulatory compliance factors, such as Dodd-Frank and the Patient Protection and Affordable Care Act, having been rolled out, the level of concern about those regulations has actually dropped,” Steven Kreit, a partner in EisnerAmper’s public companies practice, said in a written statement. “When we take into account additional feedback from the participants, it paints a picture of boards coming to terms with both Dodd-Frank and healthcare reform.”
As might be expected, reputational risk was of paramount concern (82 percent) to not-for-profit organizations. Organizations with revenue of $1 million to $10 million were least concerned about reputational risk, with 60 percent of directors indicating it was a concern important to their boards.
Cybersecurity was the No. 1 concern for private companies (66 percent) – and a very close second for public companies (71 percent). Directors serving organizations with more than $1 billion in revenue also favored cybersecurity (73 percent) as the top risk, followed immediately by reputational risk (72 percent).
“The financial cost and damage to reputation from a cyber/privacy breach is growing exponentially,” Nancy Brady, director of IT risk services for EisnerAmper, said in the survey report. “Directors have recognized the increasing risk companies face related to cyber- and data security. Now they need to roll up their sleeves and, with the companies, address these risks.”
Though risk due to fraud did not rank in the top third of concerns, 39 percent of public company board members did show concern, making it a significant outlier among other types of organizations, according to EisnerAmper.
Concern about CEO succession planning for private companies dropped by 14 percent to 34 percent, bringing it far out of line with public companies (55 percent) and not-for-profits (50 percent).
“This is especially interesting considering the plethora of discussions around global battles for executive talent,” EisnerAmper wrote in the survey report. “However, private company boards are generally two to three times more concerned about outsourcing risk as compared to public and not-for-profit boards.”
Corporate directors surveyed indicated that while 85 percent of their CEOs have a strong understanding of broad-based risk assessment and 74 percent of chief executives have a firm grasp on regulatory compliance changes, only 51 percent have a strong understanding of cybersecurity issues. Only 58 percent of CFOs at their companies have a firm grasp of cybersecurity issues.
“Despite strong concerns about reputational risk and cyber- and data security, we saw little in the survey showing support for the resources necessary to address it,” Kreit noted. “With many organizations admitting that they had no plans or relatively unsophisticated plans to address these top-rated risks, there is a need for boards to focus some of their strategic planning time on reevaluating how they will effectively handle concerns as they arise.”