Boards taking steps to improve oversight of cyber risk but gaps remain
- Published: Wednesday, 02 February 2022 08:30
RANE (Risk Assistance Network + Exchange) and the Nasdaq Center for Board Excellence have released results of a survey of US publicly listed companies and nonprofits that show that boards and executive team members give themselves high marks for cyber security awareness but that additional training on cyber risks would be beneficial.
Cyber security has become the leading concern for businesses worldwide. The types of cyber risks that are the most important to boards/executive team members include:
- Ransomware attacks, which are the number one concern of the respondents.
- Cyber breaches resulting in stolen data: this is also an area of extreme concern, as are social engineering/phishing/business email compromise and cyber breaches resulting in destruction or manipulation of data.
The area of least concern was a cyber incident caused by an insider threat.
“One major finding of this survey is that boards often focus on ransomware or other highly publicized attacks without realizing the connection between the attacks and the intersection with geopolitical events,” says RANE CEO Steve Roycroft.
Almost all respondents express confidence that their board/executive team is prepared to respond to a cyber incident, however, some notable issue include:
- Only 59 percent of respondents say that cyber security training was provided to the board, and of those remaining, 69 percent indicated that they would like to receive training.
- A quarter of respondents say their board does not have a methodology for quantifying cyber security risk.
- The majority of respondents say their organizations carry cyber liability insurance, but only 9 percent say their policy ensures full resilience against any business interruptions.