Board practices regarding IT oversight and cybersecurity
Greater director involvement in social media oversight, concern about the Department of Homeland Security/NIST cybersecurity frameworks and increased use of IT consultants are among the trends shaping governance and the board of the future, according to PwC.
Directors also acknowledge that big data and cloud technologies are two areas which may demand more board attention. And, a majority of directors have not discussed their company’s crisis response plan or cybersecurity insurance coverage. In addition, female directors generally want to spend more time on IT issues than do male directors.
In the summer of 2014, 863 public company directors responded to PwC’s 2014 Annual Corporate Directors Survey. Of those, 70% serve on the boards of companies with more than $1 billion in annual revenue.
“We structured this year’s survey to gauge director sentiment on key trends as well as other factors shaping governance and the board of the future,” said Mary Ann Cloyd, Leader for PwC’s Center for Board Governance. “Over the past few years, we’ve seen significant changes to board practices regarding IT oversight and cybersecurity. There is increasing recognition that IT is a business issue, not just a technology issue.”
PwC highlights director sentiments related to these particular trends:
Forty-one percent of directors say they are now at least moderately engaged in overseeing the company’s monitoring of social media for adverse publicity – compared to 31% in 2012. There was also an 11 percentage point increase in directors who are at least somewhat engaged in overseeing employee social media training and policies. Similarly, almost half of directors are now at least somewhat engaged in overseeing employee use of mobile technologies – double that of two years ago.
Forty-two percent of directors are at least somewhat concerned about the impact of the new Department of Homeland Security/NIST cybersecurity framework, but many directors may not yet be aware of the protocols or their potential impact.
Directors acknowledge that big data and cloud technologies are two areas that could use more of their attention, with over a quarter saying they are not sufficiently engaged. Only 53% of directors say their company’s IT strategy and IT risk mitigation approach “at least moderately” take sufficient advantage of big data.
Nearly half of directors have not discussed their company’s crisis response plan in the event of a security breach and more than two-thirds have not discussed their company’s cybersecurity insurance coverage.
There was a noteworthy year-over-year improvement in directors’ views about their company’s IT strategy and IT risk mitigation approach. Forty-five percent now believe their company’s approach very much contributes to, and is aligned with, setting overall company strategy, while 26% of directors very much believe it provides the board with adequate information for effective oversight (compared to 37% and 22%, respectively in 2013).
A greater percentage (66%) also believes their company’s approach is supported by a sufficient understanding of IT at the board level (compared to 64% in 2013).
Female directors are more skeptical about whether their company’s IT strategy and IT risk mitigation approach is supported by a sufficient understanding of IT at the board level (only 13% say “very much” compared to 22% of male directors). Female directors are also more skeptical about whether their company’s approach provides the board with adequate information for effective oversight (15% say “very much” compared to 28% of male directors).
The use of external IT advisors to assist boards is on the rise, with 38% of directors now saying their boards use external IT consultants — compared to 26% in 2012.