Organisations that “do” cyber security practice at an advanced level generate a 372% higher return for their shareholders than those that perform at a more basic level, especially when their board members are engaged on the issues, according to a report from risk management specialists Diligent and Bitsight.
The study – Cybersecurity, audit and the board – analysed responses gathered from 4,000 mid- to large-cap companies in public indices from all over the world. It found the average total shareholder return (TSR) for advanced cyber performers over a five-year and three-year period was 71% and 67% respectively, while those in the basic performance range delivered TSR of 37% and 14% over the same timeframes.
“Cyber security is not just an IT problem – it is an enterprise risk that has a material impact on a company’s near-term performance and long-term health, and one that management and the board needs to be up to speed on,” said Keith Fenner, senior vice-president and general manager for EMEA at Diligent.
“With the cyber security threat and governance landscapes in the UK becoming more sophisticated and complex, now is the time for boards and leaders to build their competency around cyber risk.”
Bitsight advisory board member Homaira Akbari, who is also CEO of IT consultancy AKnowledge Partners, added: “Cyber security is no longer about simply mitigating risk, it’s now a key indicator of financial performance. Companies must treat cyber security as a cornerstone of their business strategy, guided by clear, ambitious benchmarks, and backed by the full support of their boards.”
The report’s co-authors also found that organisations with more independent directors were more likely to have advanced security ratings – 76% of directors on the boards of such organisations were deemed independent, compared with 66% of those in the basic performance category. However, only 3% of UK organisations surveyed said they had a cyber security expert on their board, suggesting their presence alone is not the panacea it is often presented as.
Derek Vadala, Bitsight
But the better performers did not just have more engaged board members – those that spent time and money establishing specialised audit committees and specialist risk committees also tended to perform better. In the UK, 48% of organisations listed on the FTSE 100 and 250 have a specialised risk committee, and 100% of FTSE 350 companies have an audit committee – in line with regulatory requirements. Organisations that had a cyber security expert sitting on the risk or audit committees also attained a higher level of security performance, the report said.
The report also found a significant correlation between high-performing organisations and whether or not their industries were highly regulated. The healthcare sector proved to have the highest average security performance ratings, and of those companies that achieved advanced security performance ratings, a third were operating in the financial services sector. In contrast, 24% of those with basic performance ratings were operating in the industrial sector, with communications specialists tending to perform less well, too.
“The research shows that market-leading companies that prioritise cyber risk management outperform their peers,” said Derek Vadala, Bitsight’s chief risk officer. “This cannot be achieved without a strong understanding of cyber security performance and clear benchmarks shared across the executive team and board. The role of the CISO has shifted. Cyber risk is a key component of business performance.”