Friday, February 26, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

BDO USA Survey on Cyber Governance Reveals Continued Increases in Director Time and Company Resources Devoted to Cybersecurity

by Corporate Compliance Insights
September 26, 2017
in Cybersecurity, GRC Vendor News
BDO USA Survey on Cyber Governance Reveals Continued Increases in Director Time and Company Resources Devoted to Cybersecurity

A majority of board members report businesses are quickly addressing threat of ransomware, but too few companies are sharing information from cyberattacks

Chicago, IL – According to a new survey by BDO USA, LLP, one of the nation’s leading accounting and advisory organizations, more than three-quarters (79 percent) of public company directors report that their board is more involved with cybersecurity than it was 12 months ago and a similar percentage (78 percent) say they have increased company investments during the past year to defend against cyberattacks, with an average budget expansion of 19 percent.  This is the fourth consecutive year that board members have reported increases in time and dollars invested in cybersecurity.  Despite this positive progress, the survey also found that businesses continue to resist sharing information on cyberattacks with entities outside of their company.  Just one-quarter (25 percent) are sharing information gleaned from cyberattacks with external entities – a practice that needs to become more prevalent for the safety of critical infrastructure and national security.

“For the past four years, BDO USA has surveyed public company board members on their role in planning for and mitigating cyber-attacks at their companies.  The annual survey has documented the continued ascension of cybersecurity in corporate boardrooms, as directors are being briefed more often and are responding with increased budgets to address this critical area.  This year’s study also indicates that boards are aware of the expanding threat of ransomware and most of their businesses are proactively addressing this risk,” said Gregory Garrett, Leader of International Cybersecurity at BDO USA.  “The survey also reveals a significant vulnerability – the continued failure of companies to share information they have gathered from cyber-attacks.  Sharing information gleaned from cyberattacks is a key to defeating hackers, yet just one-quarter of directors say their company is sharing information externally.  This behavior needs to change.”

Cyber Risk

Almost one-in-five (18 percent) board members indicate that their company experienced a cyber breach during the past two years, a percentage very similar to the previous two years (22 percent).

A majority (61 percent) of corporate directors say their company has a cyber breach/incident response plan in place, compared to less than one-fifth (16 percent) who do not have a plan and close to one-quarter (23 percent) who are not sure whether they have such a plan.  Those with plans is approximately the same percentage as a year ago (63 percent), but a major improvement from 2015 when less than half (45 percent) of directors reported having them.

Public Company Board Members Maintain Positive Trends on Cybersecurity

                                                                                          2014         2015         2016         2017

Increased Board Involvement                                  59%           69%           74%         79%

Increased Cybersecurity Investments                  55%           70%           80%         78%

Breach Response Plan in Place                                NA             45%           63%         61%

Experienced a Cyber-Breach in Past 2 Years     NA             22%           22%         18%

Close to four-fifths (79 percent) of public company board members report that their board is more involved with cybersecurity than it was 12 months ago.  The vast majority of directors (91 percent) are briefed on cybersecurity at least once a year – this includes more than a quarter (28 percent) that are briefed quarterly and better than one-fifth that are briefed twice a year (21 percent).  The balance are briefed annually (36 percent) or more often than quarterly (6 percent).

Surprisingly, nine percent of board members say they are still not briefed at all on cybersecurity.  However, during the four years of the survey, the percentage of directors reporting no cybersecurity briefings has dropped consistently (see chart below).

Frequency of Cybersecurity Briefings for Public Company Boards

                                                            2014                2015                2016                2017

Once a Year                                     30%                   37%                   37%                   36%

Twice a Year                                     16%                    17%                     9%                    21%

Quarterly or More Often            25%                    33%                   42%                   34%

Not at All                                          29%                    13%                    12%                    9%

Lack of Sharing on Cyberattacks

Sharing information gleaned from cyberattacks is key to defeating hackers and the U.S. government has consistently communicated how businesses can contact relevant federal agencies about cyber incidents they experience.

Unfortunately, when asked whether they share information they gather from cyberattacks, only one-quarter (25 percent) of directors – virtually unchanged from 2016 (27 percent) – say they share the information externally.  A similar proportion (24 percent) say they do not share the information with anyone and approximately half (51 percent) aren’t sure whether they do or not.

Of those sharing information on their cyberattacks, the vast majority (86 percent) share with government agencies (FBI, Dept. of Homeland Security) and close to half (47 percent) share with ISAC (Information Sharing & Analysis Centers).  Very few (8 percent) share with competitors.

Ransomware

Earlier this year, the “WannaCry” cyberattack, which impacted businesses in more than 150 countries, greatly raised awareness of the threat posed by ransomware.  When asked whether their company had taken steps to minimize its vulnerability to ransomware, a majority (60 percent) indicate they are addressing this threat. Of those targeting ransomware vulnerabilities, a majority (58 percent) are placing an increased emphasis on patch management and increasing the frequency of data back-ups (58 percent).  Close to half (46 percent) say they have increased their ability to restore data faster.

SOC for Cybersecurity

Earlier this year, the American Institute of Certified Public Accountants (AICPA) introduced a Cybersecurity Risk Management Framework – also known as “SOC for Cybersecurity” – that provides companies with a proactive approach for designing a risk management program and communicating about its effectiveness.  When asked about this initiative, just 40 percent of directors are familiar with it.

Of those aware of the voluntary Framework, more than one-third (35 percent) indicate that they are likely to utilize both readiness testing and formal audit/attestation for their program.  A little more than one-quarter (27 percent) indicate they will just utilize the readiness testing for their programs, while a much smaller minority (6 percent) plan to use the formal audit/attestation exclusively.  Almost one-third (32 percent) indicate they either do not plan to utilize the Framework (14 percent) or were unsure (18 percent) if they would.

These are just a few of the findings of the 2017 BDO Survey on Cyber Governance, conducted by the Corporate Governance Practice of BDO USA in August 2017.  The annual survey examines the opinions of 140 corporate directors of public company boards, with revenues ranging from $250 million to more than $1 billion, regarding cybersecurity governance.  For the full survey report go to 2017 BDO Cyber Governance Survey.

Earlier this month, BDO USA’s Corporate Governance Practice released the results of the 2017 BDO Board Survey on corporate governance and financial reporting issues.

BDO USA’s Corporate Governance Practice is a valued business advisor to corporate boards.  The firm works with a wide variety of clients, ranging from entrepreneurial businesses to multinational Fortune 500 corporations, on a myriad of accounting, tax, risk management and forensic investigation issues.

About BDO USA

BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, and advisory services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through more than 60 offices and over 500 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of 67,700 people working out of 1,400 offices across 158 countries.

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: www.bdo.com.


Tags: ransomware
Previous Post

The Critical Nature of Funny

Next Post

Skillsoft Drives Higher Learner Engagement Through Global Compliance Solution Transformation

Corporate Compliance Insights

Related Posts

red paper plane breaking rank from white paper planes

Diligent to Become Largest Global GRC SaaS Company Through Galvanize Acquisition

February 24, 2021
gold cup award on red background with stars

Ethisphere Announces the 2021 World’s Most Ethical Companies

February 23, 2021
finger breaking digital padlock

SOC 2 Compliance: Why You Should Care

February 19, 2021
hands fitting puzzle pieces together on yellow background

LexisNexis® Risk Solutions and Accuity Join Operations

February 18, 2021
Next Post
Skillsoft Drives Higher Learner Engagement Through Global Compliance Solution Transformation

Skillsoft Drives Higher Learner Engagement Through Global Compliance Solution Transformation

Access realtime data
Addressing systemic racism in the workplace SAI Global
Dynamic Risk Assessments with Workiva
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights