BDO USA Survey on Cyber Governance Reveals Continued Increases in Director Time & Company Resources Devoted to Cybersecurity

CHICAGO–(BUSINESS WIRE)–According to a new
survey
by BDO USA, LLP, one of the nation’s leading
accounting and advisory organizations, more than three-quarters (79%) of
public company directors report that their board is more involved with
cybersecurity than it was 12 months ago and a similar percentage (78%)
say they have increased company investments during the past year to
defend against cyber-attacks, with an average budget expansion of 19
percent. This is the fourth consecutive year that board members have
reported increases in time and dollars invested in cybersecurity.
Despite this positive progress, the survey also found that businesses
continue to resist sharing information on cyber-attacks with entities
outside of their company. Just one-quarter (25%) are sharing information
gleaned from cyber-attacks with external entities – a practice that
needs to become more prevalent for the safety of critical infrastructure
and national security.

“For the past four years, BDO USA has surveyed public company board
members on their role in planning for and mitigating cyber-attacks at
their companies. The annual survey has documented the continued
ascension of cybersecurity in corporate boardrooms, as directors are
being briefed more often and are responding with increased budgets to
address this critical area. This year’s study also indicates that boards
are aware of the expanding threat of ransomware and most of their
businesses are proactively addressing this risk,” said Gregory Garrett,
Leader of International Cybersecurity at BDO USA. “The survey also
reveals a significant vulnerability – the continued failure of companies
to share information they have gathered from cyber-attacks. Sharing
information gleaned from cyber-attacks is a key to defeating hackers,
yet just one-quarter of directors say their company is sharing
information externally. This behavior needs to change.”

Cyber-Risk

Almost one in five (18%) board members indicate that their company
experienced a cyber-breach during the past two years, a percentage very
similar to the previous two years (22%).

A majority (61%) of corporate directors say their company has a
cyber-breach/incident response plan in place, compared to less than a
fifth (16%) who do not have a plan and close to one-quarter (23%) who
are not sure whether they have such a plan. Those with plans is
approximately the same percentage as a year ago (63%), but a major
improvement from 2015 when less than half (45%) of directors reported
having them.

 

Public Company Board Members Maintain Positive Trends on
Cybersecurity

 
 

2014

 

2015

 

2016

 

2017

Increased Board Involvement

59% 69% 74% 79%

Increased Cybersecurity Investments

55% 70% 80% 78%

Breach Response Plan in Place

NA 45% 63% 61%

Experienced a Cyber-Breach in Past 2 Years

NA 22% 22% 18%
 

Close to four-fifths (79%) of public company board members report that
their board is more involved with cybersecurity than it was 12 months
ago. The vast majority of directors (91%) are briefed on cybersecurity
at least once a year – this includes more than a quarter (28%) that are
briefed quarterly and better than one-fifth that are briefed twice a
year (21%). The balance are briefed annually (36%) or more often than
quarterly (6%).

Surprisingly, nine percent of board members say they are still not
briefed at all on cybersecurity. However, during the four years of the
survey, the percentage of directors reporting no cybersecurity briefings
has dropped consistently (see chart below).

 

Frequency of Cybersecurity Briefings for Public Company Boards

 

2014

 

2015

 

2016

 

2017

Once a Year

30% 37% 37% 36%

Twice a Year

16% 17% 9% 21%

Quarterly or More Often

25% 33% 42% 34%

Not at All

29% 13% 12% 9%
 

Lack of Sharing on Cyber-Attacks

Sharing information gleaned from cyber-attacks is key to defeating
hackers and the U.S. government has consistently communicated how
businesses can contact relevant federal agencies about cyber incidents
they experience.

Unfortunately, when asked whether they share information they gather
from cyber-attacks, only one-quarter (25%) of directors – virtually
unchanged from 2016 (27%) – say they share the information externally. A
similar proportion (24%) say they do not share the information with
anyone and approximately half (51%) aren’t sure whether they do or not.

Of those sharing information on their cyber-attacks, the vast majority
(86%) share with government agencies (FBI, Dept. of Homeland Security)
and close to half (47%) share with ISAC (Information Sharing & Analysis
Centers). Very few (8%) share with competitors.

Ransomware

Earlier this year, the “Wanna Cry” cyber-attack, which impacted
businesses in more than 150 countries, greatly raised awareness of the
threat posed by ransomware. When asked whether their company had taken
steps to minimize its vulnerability to ransomware, a majority (60%)
indicate they are addressing this threat. Of those targeting ransomware
vulnerabilities, a majority (58%) are placing an increased emphasis on
patch management and increasing the frequency of data back-ups (58%).
Close to half (46%) say they have increased their ability to restore
data faster.

SOC for Cybersecurity

Earlier this year, the American Institute of Certified Public
Accountants (AICPA) introduced a Cybersecurity Risk Management Framework
– also known as “SOC for Cybersecurity” – that provides companies with a
proactive approach for designing a risk management program and
communicating about its effectiveness. When asked about this initiative,
just 40 percent of directors are familiar with it.

Of those aware of the voluntary Framework, more than a third (35%)
indicate that they are likely to utilize both readiness testing and
formal audit/attestation for their program. A little more than
one-quarter (27%) indicate they will just utilize the readiness testing
for their programs, while a much smaller minority (6%) plan to use the
formal audit/attestation exclusively. Almost one-third (32%) indicate
they either do not plan to utilize the Framework (14%) or were unsure
(18%) if they would.

These are just a few of the findings of the 2017 BDO Survey on
Cyber Governance,
conducted by the Corporate Governance Practice
of BDO USA in August 2017. The annual survey examines the opinions of
140 corporate directors of public company boards, with revenues ranging
from $250 million to more than $1 billion, regarding cyber security
governance. For the full survey report go to 2017
BDO Cyber Governance Survey
.

Earlier this month, BDO USA’s Corporate Governance Practice released the
results of the 2017
BDO Board Survey
on corporate governance and financial reporting
issues.

BDO USA’s Corporate Governance Practice is a valued business advisor to
corporate boards. The firm works with a wide variety of clients, ranging
from entrepreneurial businesses to multinational Fortune 500
corporations, on a myriad of accounting, tax, risk management and
forensic investigation issues.

About BDO USA

BDO is the brand name for BDO USA, LLP, a U.S. professional services
firm providing assurance, tax, and advisory services to a wide range of
publicly traded and privately held companies. For more than 100 years,
BDO has provided quality service through the active involvement of
experienced and committed professionals. The firm serves clients through
more than 60 offices and over 500 independent alliance firm locations
nationwide. As an independent Member Firm of BDO International Limited,
BDO serves multi-national clients through a global network of 67,700
people working out of 1,400 offices across 158 countries.

BDO USA, LLP, a Delaware limited liability partnership, is the U.S.
member of BDO International Limited, a UK company limited by guarantee,
and forms part of the international BDO network of independent member
firms. BDO is the brand name for the BDO network and for each of the BDO
Member Firms. For more information please visit: www.bdo.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

seventeen − 3 =