Filed Under:Agent Broker, E&S/Specialty Business

The (somewhat) good news and bad news of corporate cyber readiness

The NACD's recently released Public Company Governance Survey contains both troubling and encouraging findings concerning the current state cybersecurity risk readiness.

To protect themselves and their companies, corporate directors need to engage in active, engaged, informed, and documented oversight of cyber risks. (Photo: Shutterstock)
To protect themselves and their companies, corporate directors need to engage in active, engaged, informed, and documented oversight of cyber risks. (Photo: Shutterstock)

The National Association of Corporate Directors (NACD) recently released the results of its flagship 2017-2018 Public Company Governance Survey, which identifies key areas of concern for corporate directors.

This year’s survey results contain both troubling and encouraging findings concerning the current state cybersecurity risk readiness at public companies.

Related: Here are 4 fixes to 3 common cybersecurity weaknesses

Not surprisingly, the survey of 587 corporate directors of 520 public companies identified cyber security threats among the top five trends predicted to have the greatest effect on companies over the next 12 months, trailing behind only risksassociated with significant industry change, business model disruption, and changing global economic conditions.

The (somewhat) good news

The encouraging news from the survey is that boards seem to be slowly gaining a better understanding of cybersecurity risks, enabling them to better vet and question the information they receive from corporate management about cyber risks.

This year, 15% of directors believe that their boards have very little or no knowledge of cyber risks, compared with 22% in 2015. By any measure, however, 15% is a remarkably high number for public companies concerning this critical risk.

On a brighter side, it appears that more of today’s corporate directors are not blindly accepting internal reporting concerning their company’s state of cyber readiness. Twenty-two percent (22%) of directors indicated dissatisfaction with the quality of cyber risk information they receive from corporate management. Those directors do not believe that they have adequate transparency into the company’s cyber security problems or that the information they are receiving does not allow for effective internal and external benchmarking.

Related: Cyber insurance must be a priority for small- and mid-sized businesses

These should be critical areas of concern for every corporate director, as responsibility and liability for cybersecurity is beginning to reach board levels, as exemplified by the New York State Department of Financial Services (DFS) Cybersecurity Regulation, which contains explicit board responsibilities and mandates written certification of compliance with the regulation by the board or a senior officer. It is widely anticipated that other regulators will follow DFS’s lead and adopt similar regulations, further increasing the cyber risk stakes for corporate directors.

The bad news

The survey also contain some findings that have no silver lining. Only 37% of directors are confident or very confident that their companies are properly secured against a cyber attack, while 60% indicated that they are only slightly or moderately confident. Three percent (3%) responded that they are not at all confident.

In the survey’s Executive Summary, the NACD noted that the lack of board confidence “may be driven by the fact that existing defense systems quickly become obsolete when cyber threats mutate and companies adopt new technologies.”

Final thoughts

This year’s NACD survey provides an important reality check for directors and their legal counsel concerning the current state of board awareness and competence relating to cyber risk. Those risks are now firmly on the shoulders of today’s corporate directors.

Indifference to the risks or simply accepting internal reporting about them will not suffice, given their gravity and the financial, competitive, and reputational impact they can have on the enterprise.

Related: Cyber insurance soaring as risks rise

Judy Selby, J.D., is a principal of Judy Selby Consulting LLC and a senior advisor at Hanover Stone Partners LLC. She provides insurance consulting, cyber insurance analysis, and insurance coverage expert witness services, with a particular focus on cyber-related issues. She can be reached at

Originally published on LegalTech News. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.


3 best practices for a layered cybersecurity program

Although cybersecurity is both broad and complex, some best practices can help prevent hackers from successfully infiltrating your customers' operations.

Featured Video

Most Recent Videos

Video Library ››

Top Story

2017's 10 most hazardous toys

The Boston-based nonprofit World Against Toys Causing Harm, Inc. (W.A.T.C.H.) has released its annual list of the 10 worst toys of 2017.

Top Story

America's 10 most dangerous cities for cyclists

Despite the relative safety of American cities for cyclists, 70% of fatal bike accidents still occur in urban areas.

More Resources


eNewsletter Sign Up

Specialty Markets Insight eNewsletter

Receive updates and analyses on hard to place and challenging coverages. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.