The Securities and Exchange Commission is in the process of finalizing new rules that would push publicly traded companies to detail the cyber expertise on their boards, signaling such experience will be an important metric tracked by regulators.
Those rules were first unveiled last year and have been heavily publicized by the agency since, but recent data collected by a range of observers suggests that it has yet to move the needle at many companies, and may in fact be getting worse.
A report issued last week by Heidrick and Struggles, an executive search and management consulting firm, analyzed new board appointments at Fortune 500 companies in the U.S. and major enterprises in other countries over the past year. It found that of the 414 allocated in 2022, just 14% went to individuals with backgrounds in cybersecurity.
That’s actually slightly lower than the previous year, when 17% of new board seats went to directors with cyber experience.
Matt Aiello, a partner who leads the global cybersecurity practice at Heidrick and Struggles, said that while it’s possible some existing or new directors have backgrounds working on cyber issues that weren’t captured, the findings underscore how “board seats are precious real estate” where cybersecurity continues to face stiff competition as companies seek to add other important perspectives and experience.
“When a board seat comes open, our clients are usually solving for several [core competencies]. They’re looking for maybe international expertise, or a certain leadership profile, they might be thinking about the overall composition of the board and for diversity. They might be thinking about another business perspective that’s lacking … so for better or for worse, CISOs [and other cyber candidates] historically are likely to be perceived as more narrow” value additions to boards, Aiello said in an interview.
How does cyber experience stack up on existing boards?
Heidrick and Struggles' findings track broadly with findings from a number of other organizations that look at the makeup of existing boards.
The CAP Group, a cybersecurity advisory consulting firm, recently synthesized research from Ernst and Young, the Wall Street Journal, ISS Insights and the U.S. Spencer Stuart Board to get a comprehensive look at how companies across the country were prioritizing cybersecurity in board appointments. That could include chief information security officers (CISOs), executives with past experience leading or working on IT security issues, or individuals who had regular interaction with or oversight around cyber issues, like a CIO.
Using those numbers, the company determined that among Fortune 100 companies, cyber-specific board experience is fairly common: 51 of the 100 had at least one director with a background in information security. After that, the numbers saw a steep dropoff. Just 17% of S&P 500 companies had members with cybersecurity backgrounds, while among the Russell 3000 index (which tracks the 3,000 largest publicly traded companies in the U.S.), just 9% had any members who fit that same description.
Brian Walker, founder and CEO of The CAP Group, told SC Media that they began collecting different datasets and crunching the numbers around cyber board appointments because a number of their board-level clients were “scratching their heads,” asking questions about how the upcoming SEC rules would work in practice and what would qualify as cybersecurity experience.
There has been some improvement over the past two years. Of the 456 directors who joined S&P 500 boards in 2021, just 18 (or 3.9%) had any kind of technical experience in areas like cybersecurity, IT software engineering or data analytics. The numbers are more than double two years later, but they also reveal a noticeable lack of urgency on the part of companies to start adding members with that experience now.
“I can’t emphasize enough how that is kind of going backwards to what we need to solve as an industry,” said Walker, later adding. “I’m not seeing that [companies] are pulling the trigger on taking any specific action en masse right now. I think they’re waiting for the final rulemaking … so they’re doing scenario planning now but not acting yet.”
Cyber expertise among many new rules
The SEC regulations have yet to go live — industry observers said they expect them to be finalized in April, but the agency did not respond to SC Media’s request to confirm that timeline.
Even when the regulations do go live, they’ll still be relatively light-to-the-touch: companies would be required to report on the cybersecurity expertise of their board members, with no hard mandate to add such members.
Still, Aiello, Walker and others expect to see a more visible surge in companies reporting cybersecurity-centric directors next year when companies are required to report, whether through adding new members or by highlighting existing members who have some previously nexus to the field that wasn’t previously emphasized.
Even a simple reporting requirement could push industry to boost their numbers, since it would signal that cyber expertise on the board is an important metric the SEC is paying attention to as the regulator conducts investigations, oversight and enforcement around cybersecurity incidents. The board requirements are just one of numerous new cybersecurity rules the SEC has introduced over the past year, with the latest additions having been announced March 15.
“It’s a matter of ‘if and when we have an issue and it gets to be visible and public, we need to demonstrate our duty of care that we are trying to bring the right expertise,’” said Walker, describing the mindset of executives who may be covered by the rule.
Still, that principle could also work in the opposite direction. A publicly traded company with a cybersecurity-centric board member that suffers a breach may have less plausible deniability to argue that the company was unaware of best practices around things like data security.
How will the SEC define experience?
Because the structure of the rules don't lay out a specific definition for what would constitute cybersecurity experience, some companies may opt to update the biographies of current board members if they can find some connection in their past work. The rules do require businesses to detail the nature of a members' background, but it's not clear if someone with a cybersecurity law degree or who has prosecuted cybercrimes, or an executive who regularly interacts with his security staff would be viewed the same as a CISO or someone from a practitioner background.
"Some [companies] are preparing a bit early — and that's awesome — but I do think what will ultimately happen is that once this is officially required and absolutely has to be there, we'll suddenly see current directors that have cybersecurity experience that maybe we didn't know about before," said Jeff Pollard, a vice president at principal analyst for security at Forrester. "Unfortunately what that will mean is some of those folks once heard what a firewall was ... and now they will count that for the board."
There are also divided opinions about what direct or unique benefits a company could realistically expect to derive from having board members with cybersecurity backgrounds. Pollard noted that for many public companies, the authority of the board of directors mostly centers around two powers: hiring and firing the CEO and voting on the chairman. The governance structures are mainly guided by pre-established bylaws and boards are not powerless in their influence but limited in their ability to shift the entire strategy of the company towards priorities like cybersecurity.
Without those powers, some newly added board members might find the finger pointed at them when their business suffers a breach or have other cybersecurity breakdowns.
"The risk is that this person becomes the cyber expert for the board and they become the fall person when that company experiences an issue, and they say 'Well, we weren't guided correctly by our board person and so let's swap them out for someone else,'" said Pollard.
"One of my fears is we have just left the era where CISOs were a scapegoat. You had a breach, you put out a statement saying you take privacy and security seriously, the CISO leaves a month later and you hire a new one. My concern with this position is this is almost the same thing. Now we'll put this person on the board, they're not going to have much authority because boards don't really have a ton of authority."