Boards have awakened to the cybersecurity threat: survey

There has a “huge shift” in the past three years of greater corporate board focus on cybersecurity issues that is due in part to several large, well-publicized data breaches, a researcher says.

Sixty-three percent of boards today are actively addressing and governing computer and information security, up sharply from 33% in 2012 — the most recent year Global Cyber Risk P.L.C. CEO Jody R. Westby conducted the study through the Georgia Tech Information Security Center in Atlanta.

Governance of Cybersecurity: 2015 Report by the Washington-based cyber risk consultant is based on results from 121 board-level or senior executive-level respondents.

Driving the increase “was the whole series of events that have occurred” since Target Corp.'s breach, as well as the unsuccessful calls for votes against its directors' re-election, Ms. Westby said.

Shareholder derivative litigation filed against Target and other firms “and more willingness by courts to hear those cases” has made directors realize they are “now in the bull's-eye and they needed to pay attention to cyber and govern those risks,” Ms. Westby said.

“Much of it is self-interest,” she said. “They don't want it to happen to them. That's OK, because they're protecting their organization by trying to do a better job of managing the risk,” she said.

Among other survey results, boards also are reviewing their cyber insurance coverage more frequently. For example, 62% of boards overseeing energy firms and utilities said they reviewed their cyber coverage in this year's survey versus just 14% in 2012.

Companies are realizing they do not have a cyber risk strategy, and appropriate insurance helps them manage that risk, said Ms. Westby.

In addition, 50% of respondents said their board regularly or occasionally reviews and approves annual budgets for privacy and information technology security programs, up from 41% in 2012.