BDO USA Board Survey Reveals Continued Increases in Director Time & Company Resources Spent on Planning for Cybersecurity Risks

October 2016

Jerry Walsh
(631) 419-9008

Progress Made on Documenting & Protecting Digital Assets and Putting Third-Party Cyber-Risk Requirements in Place, But Too Few Share Information from Cyber-Attacks

Chicago, IL – According to a new survey by BDO USA, LLP, one of the nation’s leading accounting and consulting organizations, approximately three-quarters (74%) of public company directors report that their board is more involved with cybersecurity than it was 12 months ago and an even greater percentage (80%) say they have increased company investments during the past year to defend against cyber-attacks, with an average budget expansion of 22 percent.  This is the third consecutive year that board members have reported increases in time and dollars spent on cybersecurity.  The survey also identified improvements in the number of boards with cyber-breach response plans in place (from 45% to 63%).  Nevertheless, barely one-quarter (27%) are sharing information on cyber-attacks with entities outside of their business – a practice that needs to become more prevalent for the safety of critical infrastructure and national security, particularly at larger organizations.

"Over the past three years, the BDO Board Survey has documented the ascension of cybersecurity up the boardroom agenda.  Corporate directors are being briefed more often and are responding with increased budgets to address this critical area,” said Shahryar Shaghaghi, National Leader of Technology Services for BDO Consulting.  “The survey also reveals significant vulnerabilities.  Although measurable progress has been made from a year ago, less than half of board members report they have both identified and developed solutions to protect their critical digital assets, and an even smaller proportion indicate they have put cyber-risk requirements in place for third-party vendors – a major source of cyber-attacks.  Moreover, sharing information gleaned from cyber-attacks is a key to defeating hackers, yet just one-quarter of directors say their company is sharing this information.”

Public Company Board Members Reveal Positive Trends on Cybersecurity
  2014 2015 2016
Increased Board Involvement 59% 69% 74%
Increased Cybersecurity Investments 55% 70% 80%
Documented/Protected Digital assets n/a 34% 45%
Breach Response Plan in Place n/a 45% 63%
Third-Party Risk Requirements n/a 35% 43%
Purchase Cyber Insurance 10% 28% 28%

Trending Positive

Better than a fifth (22%) of board members indicate that their company experienced a cyber-breach during the past two years, the exact same percentage as last year (22%) and double the percentage of 2013 (11%).  When considering these responses, it is important to note that some companies do not report their breaches and, in other instances, businesses can be unaware that they have been hacked. 
Three quarters (74%) of public company board members report that their board is more involved with cybersecurity than it was 12 months ago.  The vast majority of directors (88%) are briefed on cybersecurity at least once a year – this includes more than a third (34%) that are briefed quarterly and a similar proportion that are briefed annually (37%).  The balance are briefed twice a year (9%) or more often than quarterly (8%).  Surprisingly, twelve percent say they are still not briefed at all on cybersecurity.
Four-fifths (80%) of board members report that their company has increased investments in cybersecurity during the past 12 months, with an average budget expansion of 22 percent.
When asked about formal risk assessments of their critical digital assets, almost half (45%) of the directors report that they have completed documentation of their business’s critical digital assets and developed solutions to protect them.  This represents a significant improvement from 2015 when only one-third (34%) had completed this task.  A quarter (25%) of the board members indicate they have identified their critical digital assets, but a solution strategy is still in process. 
Close to two-thirds (63%) of corporate directors say their company has a cyber-breach/incident response plan in place, compared to less than a fifth (18%) who do not have a plan or who aren’t sure (19%) whether they had such a plan.  Those with plans represent a major improvement from last year when less than half (45%) of directors reported having them.
Forty-three percent of directors say they have cyber-risk requirements that their third-party vendors must meet, a significant increase from 2015 when just over one-third (35%) indicated they had such requirements.  This is important progress as third-party vendors are one of the main sources of cyber-attacks.
Better than one-quarter (28%) of board members say their company has purchased cyber-insurance and an additional 13 percent are currently considering purchasing insurance.  Eleven percent of the directors say they considered cyber-insurance in the past, but decided against it.
Need More Sharing on Cyber-Attacks

Earlier this year, the White House issued Presidential Policy Directive 41 outlining how businesses can contact relevant federal agencies about cyber incidents they experience.  When asked whether they share information they gather from cyber-attacks, only a little more than a quarter (27%) of directors say they share the information externally.  A slightly smaller number (24%) say they do not share the information and approximately half (49%) weren’t sure.
Of those sharing information on their cyber-attacks, the vast majority (88%) share with government agencies (FBI, Dept. of Homeland Security), more than a quarter (28%) share with ISAC (Information Sharing & Analysis Centers) and approximately one-fifth (19%) share with competitors.
Global Data Privacy

Just over a quarter (26%) of directors say they are impacted by global data privacy regulations, such as the European Union’s Data Privacy Shield Law, designed to protect the cross border transfer of data.
These are just a few of the findings of the 2016 BDO Board Survey, conducted by the Corporate Governance Practice of BDO USA in September 2016.  The annual survey examines the opinions of 160 corporate directors of public company boards, with revenues ranging from $250 million to $1 billion, regarding financial reporting, executive compensation, risk management and other corporate governance issues.  For the full survey report go to 2016 BDO Board Survey.
BDO USA's Corporate Governance Practice is a valued business advisor to corporate boards.  The firm works with a wide variety of clients, ranging from entrepreneurial businesses to multinational Fortune 500 corporations, on a myriad of accounting, tax, risk management and forensic investigation issues.

BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, financial advisory and consulting services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals.  The firm serves clients through more than 60 offices and more than 400 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of more than 1,300 offices in over 150 countries. 
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information, please visit: