By Jessica Tasman-Jones
This article is brought to you by Agenda, an FT Specialist publication that focuses on corporate boards
US companies are appointing cybersecurity experts to their boards ahead of new rules being introduced by the Securities and Exchange Commission (SEC).
A number of companies including Visa, Nordstrom, Zoom and Astra Space have appointed or elected new directors with cyber expertise this year.
The appointments are a shift from previous years, when boards favoured directors who led software companies over executives with deep technical backgrounds, sources said.
The appointments preempt forthcoming regulatory changes that are designed to standardise disclosures about cybersecurity risks, strategies and governance.
The changes were proposed last year and slated for a vote by the SEC in April, though it has been delayed.
If passed, the amendments will require boards to disclose their cybersecurity risk oversight process and how it works with experts in management. They will also need to detail whether the entire board, specific members or a committee is responsible for cybersecurity risk oversight, and how often the board discusses the topic.
Additionally, companies will have to disclose whether they have a chief information security officer (CISO), where this role sits in the organisation and how often they meet with the board.
There have been moves across some jurisdictions to increase the importance of cyber security at board level in financial services firms. But if the SEC’s move to have a general requirement across public companies progresses, it will become a leader in the area, says Richard Watson-Bruhn, US head of digital trust and cyber security at PA Consulting.
The situation in the US contrasts with the UK where cyber security expertise on boards is in decline. The percentage of companies with board members responsible for cybersecurity peaked in 2021 at 38 per cent and has since declined to 30 per cent, according to government figures published last month.
This decline is despite many companies falling prey to cyber attacks and breaches in the UK. Nearly a third (32 per cent) of all businesses – rising to 69 per cent of large businesses – experienced a cyber breach or attack in the last year, the survey showed.
As the number of board members with cyber expertise declines, so too are appointments. Just 3 per cent of board appointments had a cybersecurity experience in 2022, compared with 10 per cent in 2021, according to the latest Heidrick & Struggles Board Monitor UK.
This lags behind rates in the US where 14 per cent of board appointments in 2022 had cybersecurity expertise, according to the Board Monitor report.
The SEC rules are one factor driving this, says Sam Burman, global managing partner of Heidrick & Struggles’ specialty practice. However, other factors are also at play, including that the US has a greater pool of cyber talent compared with the UK.
There have also been several large data breaches in the US with major organisations, which has served as a stark warning to others, Burman adds.
For now, there are no signs the UK plans to introduce an equivalent rule to the SEC. But best-in-class UK boards are making room for specialist appointments, including in cybersecurity, the Heidrick & Struggles Board Monitor UK says.
"While boards will always require directors with broad executive experience… it’s important that new directors also bring in additional areas of expertise that are needed in today’s environment," it says.
As cyber risks continue to grow and evolve, it’s unlikely we will see less regulation, adds Diligent chief executive Brian Stafford. Companies should prepare now to get ahead and ensure their organisations remain competitive and compliant, he says.
This article is based on a story written for Agenda by Amanda Gerut.