Cybersecurity Experts on the Board of Directors

Cyber breaches are still going strong. Each year seems to be dubbed the new “Year of the Breach.” With 60 breaches of publicly traded companies, including one of the largest breaches of all time at Yahoo, 2016 was no different. So, it should come as no surprise that 2017 is on pace to surpass last year, with the count at 36 breaches as of June 30th. Breaches aren’t just small annoyances, they come with a cost.

The average data breach cost a total of $3.62 million and disclosed 24,089 records, according to Ponemon’s 2017 Cost of Data Breach Study. In addition to costs and records, the study also highlighted ways that companies can reduce costs in the event a breach does occur. These suggestions include creating an incident response team, encrypting personal data, participating in threat sharing, and creating Board-level involvement.


Based on the appointment of new directors, there is some evidence that companies are beginning to adopt cybersecurity protocols.

Over the past five years, the number of individuals with cybersecurity experience that have been appointed as directors to public companies has grown from 5 in 2012, to more than 20 in 2016[1].


But according to a survey conducted the Harvard Business Review (HBR), boards aren’t moving quickly enough. When asked about the effectiveness of the board’s processes regarding its most pressing responsibilities, “among the 23 processes [HBR] asked about, directors ranked the ones related to cybersecurity dead last.” Additionally, HBR found that “keeping on top of risk and security issues” was the top challenge for boards.

To make matters worse, some industries that have seen the most cybersecurity breaches have been the slowest to react at the board-level. For example, retailers are often targets of Point-of-Sales malware and have been the third most impacted industry, yet they have only seen two companies appoint a cybersecurity expert to their boards between 2012 and 2016. Others, such as banks, have been leaders on the issue. Financial service companies have appointed 13 cybersecurity experts to their boards, 8 of which were by banks.

According to the Ponemon study, having board-level involvement reduces the average cost of a breach by $123,000 (3%). But having board-level involvement can facilitate even greater results. A board that is committed and knowledgeable of cyber risk can play a role in implementing an incident response team and participating in threat sharing, two actions that Ponemon estimates can reduce the average cost of a breach by $468,000 (13%) and %193,000 (5%), respectively. Or more importantly, guiding the implementation of controls that reduce the risk of breaches all together.

The Cybersecurity Data Breaches snapshot is available for purchase as part of Audit Analytics’ Exploratory Research. Our analysts engage in this research to help better understand current market conditions, and track the latest disclosure trends and regulations as they impact financial reporting.

For more information or to purchase any exploratory research, please email us at or call (508) 476-7007.

[1] Analysis was based on a text search of Current Reports (Item 5.02).