According to a newly released report from Diligent and Bitsight, companies that demonstrate advanced cybersecurity performance have a shareholder return that is 372% higher than their peers with basic cybersecurity performance.
Boards under pressure to fortify cyber oversight
The increase in cyber incidents’ frequency and severity has made cyber risk a primary challenge for boards. Boards face pressure to address cybersecurity risks effectively to protect their organizations’ interests in the face of increasingly sophisticated and pervasive cyber threats.
With projected financial losses from data breaches set to reach approximately USD 10.5 trillion by 2025, and with heightened scrutiny from regulators like the SEC, the board’s oversight role becomes even more critical. Boards are focusing on strong oversight mechanisms to manage cyber risk and safeguard their organizations’ financial health and reputation.
However, different boards take varying approaches to addressing cyber risk, raising questions about the effectiveness of different board governance structures and strategies.
The report also highlights that highly regulated industries like healthcare and financial services have the highest cybersecurity ratings. Companies with either a specialized risk committee or audit committee perform better in cybersecurity compared to those with neither, with ratings of 710 and 650, respectively.
According to Dottie Schindlinger, Executive Director of the Diligent Institute, “These findings emphasize that cybersecurity is not just an IT problem but an enterprise risk with a significant impact on a company’s performance and long-term health. Boards and management need to be well-informed about cyber risk.”
Dr. Homaira Akbari, CEO of AKnowledge Partners, stated, “Cybersecurity is now a key indicator of financial performance. Companies must integrate cybersecurity into their business strategy backed by the full support of their boards.”
Security rating and financial performance
Companies with advanced security ratings deliver nearly four times more value to shareholders compared to those with basic security ratings. Over a five-year and three-year period, companies with advanced security performance ratings yielded 71% and 67% total shareholder return (TSR), while those in the basic performance range achieved 37% and 14% TSR.
Companies with a higher number of independent directors tend to have advanced security ratings. 76% of directors on boards of companies with advanced security ratings are independent, compared to 66% in the basic security performance category.
Specialized risk or audit committees enhance cybersecurity performance
Companies with specialized risk committees have a median cybersecurity rating of 730, slightly higher than companies with just audit committees at 720. This suggests that both committee types are effective in overseeing cyber risk. It is crucial for cybersecurity experts to be directly involved with cybersecurity oversight, whether on audit or specialized risk committees.
Highly regulated industries excel in cybersecurity compared to others
The healthcare sector boasts the highest average security rating at 730, with 33% of companies with advanced security ratings coming from the financial services sector. The lowest overall performance rating is seen in the communications sector at 630.
Derek Vadala, Chief Risk Officer at Bitsight, emphasized, “Market-leading companies prioritize cyber risk management and outperform their peers. Cyber risk is a crucial component of business performance that requires clear benchmarks and understanding across the executive team and board.”