A majority of board members report businesses are quickly addressing threat of ransomware, but too few companies are sharing information from cyberattacks
Chicago, IL – According to a new survey by BDO USA, LLP, one of the nation’s leading accounting and advisory organizations, more than three-quarters (79 percent) of public company directors report that their board is more involved with cybersecurity than it was 12 months ago and a similar percentage (78 percent) say they have increased company investments during the past year to defend against cyberattacks, with an average budget expansion of 19 percent. This is the fourth consecutive year that board members have reported increases in time and dollars invested in cybersecurity. Despite this positive progress, the survey also found that businesses continue to resist sharing information on cyberattacks with entities outside of their company. Just one-quarter (25 percent) are sharing information gleaned from cyberattacks with external entities – a practice that needs to become more prevalent for the safety of critical infrastructure and national security.
“For the past four years, BDO USA has surveyed public company board members on their role in planning for and mitigating cyber-attacks at their companies. The annual survey has documented the continued ascension of cybersecurity in corporate boardrooms, as directors are being briefed more often and are responding with increased budgets to address this critical area. This year’s study also indicates that boards are aware of the expanding threat of ransomware and most of their businesses are proactively addressing this risk,” said Gregory Garrett, Leader of International Cybersecurity at BDO USA. “The survey also reveals a significant vulnerability – the continued failure of companies to share information they have gathered from cyber-attacks. Sharing information gleaned from cyberattacks is a key to defeating hackers, yet just one-quarter of directors say their company is sharing information externally. This behavior needs to change.”
Cyber Risk
Almost one-in-five (18 percent) board members indicate that their company experienced a cyber breach during the past two years, a percentage very similar to the previous two years (22 percent).
A majority (61 percent) of corporate directors say their company has a cyber breach/incident response plan in place, compared to less than one-fifth (16 percent) who do not have a plan and close to one-quarter (23 percent) who are not sure whether they have such a plan. Those with plans is approximately the same percentage as a year ago (63 percent), but a major improvement from 2015 when less than half (45 percent) of directors reported having them.
Public Company Board Members Maintain Positive Trends on Cybersecurity
2014 2015 2016 2017
Increased Board Involvement 59% 69% 74% 79%
Increased Cybersecurity Investments 55% 70% 80% 78%
Breach Response Plan in Place NA 45% 63% 61%
Experienced a Cyber-Breach in Past 2 Years NA 22% 22% 18%
Close to four-fifths (79 percent) of public company board members report that their board is more involved with cybersecurity than it was 12 months ago. The vast majority of directors (91 percent) are briefed on cybersecurity at least once a year – this includes more than a quarter (28 percent) that are briefed quarterly and better than one-fifth that are briefed twice a year (21 percent). The balance are briefed annually (36 percent) or more often than quarterly (6 percent).
Surprisingly, nine percent of board members say they are still not briefed at all on cybersecurity. However, during the four years of the survey, the percentage of directors reporting no cybersecurity briefings has dropped consistently (see chart below).
Frequency of Cybersecurity Briefings for Public Company Boards
2014 2015 2016 2017
Once a Year 30% 37% 37% 36%
Twice a Year 16% 17% 9% 21%
Quarterly or More Often 25% 33% 42% 34%
Not at All 29% 13% 12% 9%
Lack of Sharing on Cyberattacks
Sharing information gleaned from cyberattacks is key to defeating hackers and the U.S. government has consistently communicated how businesses can contact relevant federal agencies about cyber incidents they experience.
Unfortunately, when asked whether they share information they gather from cyberattacks, only one-quarter (25 percent) of directors – virtually unchanged from 2016 (27 percent) – say they share the information externally. A similar proportion (24 percent) say they do not share the information with anyone and approximately half (51 percent) aren’t sure whether they do or not.
Of those sharing information on their cyberattacks, the vast majority (86 percent) share with government agencies (FBI, Dept. of Homeland Security) and close to half (47 percent) share with ISAC (Information Sharing & Analysis Centers). Very few (8 percent) share with competitors.
Ransomware
Earlier this year, the “WannaCry” cyberattack, which impacted businesses in more than 150 countries, greatly raised awareness of the threat posed by ransomware. When asked whether their company had taken steps to minimize its vulnerability to ransomware, a majority (60 percent) indicate they are addressing this threat. Of those targeting ransomware vulnerabilities, a majority (58 percent) are placing an increased emphasis on patch management and increasing the frequency of data back-ups (58 percent). Close to half (46 percent) say they have increased their ability to restore data faster.
SOC for Cybersecurity
Earlier this year, the American Institute of Certified Public Accountants (AICPA) introduced a Cybersecurity Risk Management Framework – also known as “SOC for Cybersecurity” – that provides companies with a proactive approach for designing a risk management program and communicating about its effectiveness. When asked about this initiative, just 40 percent of directors are familiar with it.
Of those aware of the voluntary Framework, more than one-third (35 percent) indicate that they are likely to utilize both readiness testing and formal audit/attestation for their program. A little more than one-quarter (27 percent) indicate they will just utilize the readiness testing for their programs, while a much smaller minority (6 percent) plan to use the formal audit/attestation exclusively. Almost one-third (32 percent) indicate they either do not plan to utilize the Framework (14 percent) or were unsure (18 percent) if they would.
These are just a few of the findings of the 2017 BDO Survey on Cyber Governance, conducted by the Corporate Governance Practice of BDO USA in August 2017. The annual survey examines the opinions of 140 corporate directors of public company boards, with revenues ranging from $250 million to more than $1 billion, regarding cybersecurity governance. For the full survey report go to 2017 BDO Cyber Governance Survey.
Earlier this month, BDO USA’s Corporate Governance Practice released the results of the 2017 BDO Board Survey on corporate governance and financial reporting issues.
BDO USA’s Corporate Governance Practice is a valued business advisor to corporate boards. The firm works with a wide variety of clients, ranging from entrepreneurial businesses to multinational Fortune 500 corporations, on a myriad of accounting, tax, risk management and forensic investigation issues.
About BDO USA
BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, and advisory services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through more than 60 offices and over 500 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of 67,700 people working out of 1,400 offices across 158 countries.
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: www.bdo.com.