Public Company Boards Increase Time & Resources On Cyber-Security, Yet Lack Mitigation Strategies According to BDO USA, LLP

October 2015

Chicago, IL – According to a new survey by BDO USA, LLP, one of the nation’s leading accounting and consulting organizations, more than two-thirds (69%) of public company board members report that their board is more involved with cybersecurity than it was 12 months ago and a similar percentage (70%) say they have increased company investments to defend against cyber-attacks during the past year, with an average budget expansion of 22 percent.  Despite this increase in awareness and resources, just one-third (34%) of corporate directors report that they have documented and developed solutions to protect their business’s critical digital assets.  Moreover, less than half (45%) have a cyber-breach response plan in place and only one-third (35%) of directors say their company has developed cyber-risk requirements for their third-party vendors.
"This year's BDO Board Survey clearly shows that cybersecurity is moving up on the boardroom agenda.  Corporate directors report that they are being briefed more often and they are responding with increased budgets to address this critical area, said Shahryar Shaghaghi, National Leader of Technology Services for BDO Consulting.  “Nevertheless, the survey also reveals that there is much work to be done in terms of implementation of cybersecurity mitigation strategies, as only one-third of board members indicate they have both identified and developed solutions to protect their critical digital assets.  It is especially troubling that less than half of the directors believe their company has a cyber-incident response plan in place and only one-third have cyber-risk requirements for third-party vendors – a major source of cyber-attacks.”
More than one-fifth (22%) of board members say their company experienced a cyber-breach during the past two years, double the percentage of 2013 (11%).  This increase has clearly spurred action in corporate boardrooms. 
Trending Positive
The percentage of directors reporting increased involvement in cybersecurity (69%) and in cyber budgets (70%) represent substantial increases from 2014 when 59 percent of directors cited an increase in time spent on digital security and just over half (55%) reported an increase in cybersecurity investments.
The vast majority of directors (87%) indicate that they are briefed on cybersecurity at least once a year - this includes one-third (33%) who are briefed at least quarterly.  This represents a substantial increase from 2014 when 71 percent reported at least an annual briefing and only one quarter (25%) were briefed at least quarterly.  Equally revealing, just 13 percent of board members say they are not briefed on cybersecurity at all, compared to 29 percent last year.
At least one-quarter (28%) of board members say their company has purchased cyber-insurance, almost triple the percentage (10%) that reported purchasing this coverage in 2014.
Work to be Done
When asked about formal risk assessments of their critical digital assets, only one-third (34%) of directors report that they have completed documentation of their business’s critical digital assets and developed solutions to protect them, while a similar percentage (32%) say they’ve identified their critical digital assets, but a solution strategy is still in process.  Approximately one fifth (19%) of board members say they are still working to identify critical digital assets, while 15 percent indicate their company has done no work to identify and protect their digital assets.
Less than half (45%) of corporate directors say their company has a cyber-breach/incident response plan in place, compared to one-third (34%) who do not have a plan.  More than a fifth (21%) of board members weren’t sure whether they had such a plan.
Just over one-third (35%) of directors say their company has developed cyber-risk requirements that their third-party vendors must meet and only 5 percent of directors are aware of their company having to change a vendor due to cyber-risk concerns.  Since third-party vendors are one of the main sources of cyber-attacks, these findings reveal a significant cybersecurity blind-spot at the board level.
These are just a few of the findings of the 2015 BDO Board Survey, conducted by the Corporate Governance Practice of BDO USA in September 2015.  The annual survey examines the opinions of 150 corporate directors of public company boards regarding financial reporting, executive compensation, risk management and other corporate governance issues.  For the full survey report go to 2015 BDO Board Survey.
BDO USA's Corporate Governance Practice is a valued business advisor to corporate boards.  The firm works with a wide variety of clients, ranging from entrepreneurial businesses to multinational Fortune 500 corporations, on a myriad of accounting, tax, risk management and forensic investigation issues.
BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, financial advisory and consulting services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals.  The firm serves clients through 63 offices and more than 400 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of more than 1,300 offices in over 150 countries. 
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: