BDO USA Survey on Cyber Governance Reveals Continued Increases in Director Time & Company Resources Devoted to Cybersecurity

Jerry Walsh
[email protected]

A Majority of Board Members Report Businesses are Quickly Addressing Threat of Ransomware, But Too Few Companies are Sharing Information from Cyber-Attacks

Chicago, IL – According to a new survey by BDO USA, LLP, one of the nation’s leading accounting and advisory organizations, more than three-quarters (79%) of public company directors report that their board is more involved with cybersecurity than it was 12 months ago and a similar percentage (78%) say they have increased company investments during the past year to defend against cyber-attacks, with an average budget expansion of 19 percent.  This is the fourth consecutive year that board members have reported increases in time and dollars invested in cybersecurity.  Despite this positive progress, the survey also found that businesses continue to resist sharing information on cyber-attacks with entities outside of their company.  Just one-quarter (25%) are sharing information gleaned from cyber-attacks with external entities – a practice that needs to become more prevalent for the safety of critical infrastructure and national security.

"For the past four years, BDO USA has surveyed public company board members on their role in planning for and mitigating cyber-attacks at their companies.  The annual survey has documented the continued ascension of cybersecurity in corporate boardrooms, as directors are being briefed more often and are responding with increased budgets to address this critical area.  This year’s study also indicates that boards are aware of the expanding threat of ransomware and most of their businesses are proactively addressing this risk,” said Gregory Garrett, Leader of International Cybersecurity at BDO USA.  “The survey also reveals a significant vulnerability – the continued failure of companies to share information they have gathered from cyber-attacks.  Sharing information gleaned from cyber-attacks is a key to defeating hackers, yet just one-quarter of directors say their company is sharing information externally.  This behavior needs to change.”
Almost one in five (18%) board members indicate that their company experienced a cyber-breach during the past two years, a percentage very similar to the previous two years (22%). 
A majority (61%) of corporate directors say their company has a cyber-breach/incident response plan in place, compared to less than a fifth (16%) who do not have a plan and close to one-quarter (23%) who are not sure whether they have such a plan.  Those with plans is approximately the same percentage as a year ago (63%), but a major improvement from 2015 when less than half (45%) of directors reported having them.
 Public Company Board Members Maintain Positive Trends on Cybersecurity






Increased Board Involvement





Increased Cybersecurity Investments





Breach Response Plan in Place





Experienced a Cyber-Breach in Past 2 Years





Close to four-fifths (79%) of public company board members report that their board is more involved with cybersecurity than it was 12 months ago.  The vast majority of directors (91%) are briefed on cybersecurity at least once a year – this includes more than a quarter (28%) that are briefed quarterly and better than one-fifth that are briefed twice a year (21%).  The balance are briefed annually (36%) or more often than quarterly (6%). 
Surprisingly, nine percent of board members say they are still not briefed at all on cybersecurity.  However, during the four years of the survey, the percentage of directors reporting no cybersecurity briefings has dropped consistently (see chart below).
Frequency of Cybersecurity Briefings for Public Company Boards






Once a Year





Twice a Year





Quarterly or More Often





Not at All





Lack of Sharing on Cyber-Attacks
Sharing information gleaned from cyber-attacks is key to defeating hackers and the U.S. government has consistently communicated how businesses can contact relevant federal agencies about cyber incidents they experience. 
Unfortunately, when asked whether they share information they gather from cyber-attacks, only one-quarter (25%) of directors – virtually unchanged from 2016 (27%) - say they share the information externally.  A similar proportion (24%) say they do not share the information with anyone and approximately half (51%) aren’t sure whether they do or not.
Of those sharing information on their cyber-attacks, the vast majority (86%) share with government agencies (FBI, Dept. of Homeland Security) and close to half (47%) share with ISAC (Information Sharing & Analysis Centers).  Very few (8%) share with competitors.
Earlier this year, the “Wanna Cry” cyber-attack, which impacted businesses in more than 150 countries, greatly raised awareness of the threat posed by ransomware.  When asked whether their company had taken steps to minimize its vulnerability to ransomware, a majority (60%) indicate they are addressing this threat. Of those targeting ransomware vulnerabilities, a majority (58%) are placing an increased emphasis on patch management and increasing the frequency of data back-ups (58%).  Close to half (46%) say they have increased their ability to restore data faster.
SOC for Cybersecurity
Earlier this year, the American Institute of Certified Public Accountants (AICPA) introduced a Cybersecurity Risk Management Framework – also known as “SOC for Cybersecurity” – that provides companies with a proactive approach for designing a risk management program and communicating about its effectiveness.  When asked about this initiative, just 40 percent of directors are familiar with it. 
Of those aware of the voluntary Framework, more than a third (35%) indicate that they are likely to utilize both readiness testing and formal audit/attestation for their program.  A little more than one-quarter (27%) indicate they will just utilize the readiness testing for their programs, while a much smaller minority (6%) plan to use the formal audit/attestation exclusively.  Almost one-third (32%) indicate they either do not plan to utilize the Framework (14%) or were unsure (18%) if they would.
These are just a few of the findings of the 2017 BDO Survey on Cyber Governance, conducted by the Corporate Governance Practice of BDO USA in August 2017.  The annual survey examines the opinions of 140 corporate directors of public company boards, with revenues ranging from $250 million to more than $1 billion, regarding cyber security governance.  For the full survey report go to 2017 BDO Cyber Governance Survey.
Earlier this month, BDO USA’s Corporate Governance Practice released the results of the 2017 BDO Board Survey on corporate governance and financial reporting issues.
BDO USA's Corporate Governance Practice is a valued business advisor to corporate boards.  The firm works with a wide variety of clients, ranging from entrepreneurial businesses to multinational Fortune 500 corporations, on a myriad of accounting, tax, risk management and forensic investigation issues.
BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, and advisory services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through more than 60 offices and over 500 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of 67,700 people working out of 1,400 offices across 158 countries.

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: