Companies that demonstrate advanced cybersecurity performance generate 372% higher shareholder returns than their peers with basic cybersecurity performance, according to a new report from Diligent and Bitsight.
Boards come under pressure to increase cyber oversight
The increasing frequency and severity of cyber incidents has made cyber risk one of the biggest challenges facing boards. As cyber threats become increasingly sophisticated and prevalent, boards are under pressure to effectively address cybersecurity risks to protect their organizations' interests.
With economic losses from data breaches predicted to reach approximately USD 10.5 trillion by 2025, and new pressure from regulators such as the SEC, the oversight role of boards will become even more important. There is. The board prioritizes robust oversight mechanisms to reduce cyber risk and protect the organization's financial health and reputation.
However, the approaches boards take to address cyber risks vary, raising questions about the effectiveness of different board governance structures and strategies.
The report also found that highly regulated industries such as healthcare and financial services have the highest cybersecurity ratings, while companies with either specialized risk committees or audit committees have neither. It also reveals that they have better cybersecurity performance compared to businesses, with ratings of 710 and 650, respectively. .
“These findings demonstrate that cybersecurity is not just an IT issue, but an enterprise risk that has a significant impact on a company's short-term performance and long-term health, and that executives and boards need to stay informed. It shows that there is a need,” said Dottie Schindlinger, executive director of the Diligent Institute. “With increasing pressure from regulators to demonstrate how organizations oversee cybersecurity, now is the time for boards and leaders to build their cyber risk capabilities.”
“Cybersecurity is no longer just about mitigating risk; it has become a key indicator of financial performance. Businesses are increasing their cyber security efforts, guided by clear and ambitious benchmarks and with full board support. Security must be treated as a cornerstone of business strategy,” added Dr. Homaira Akbari, CEO of AKnowledge Partners and member of the Board of Directors of Santander Bank and Landstar Bank. Systems and Members of Bitsight's Advisory Board.
Security rating and financial performance
Companies with advanced security ratings deliver nearly four times more value to shareholders than companies with basic security ratings.
The five-year and three-year average total shareholder returns (TSR) for companies with advanced security performance ratings were 71% and 67%, respectively, while those in the basic performance range Achieved TSR of 37% and 14% over three years. Same time frame.
Companies with a higher number of independent directors are more likely to have a high security rating. Approximately 76% of the directors on the boards of these companies with the advanced security rating are independent, whereas in the basic security performance category he is 66% independent.
A dedicated risk or audit committee strengthens your cybersecurity performance
Companies with a dedicated risk committee have a median cybersecurity rating of 730, compared to 720 for companies with only an audit committee, compared to a dedicated risk committee. and audit committees' ability to oversee cyber risk.
Having a cybersecurity expert on the general board is not enough. These professionals should be directly involved in cyber surveillance. Companies with cybersecurity experts on either their audit committees or specialized risk committees achieve an average security performance rating of 700; Companies that are not even part of the organization have a security performance rating of 580.
Highly regulated industries have better cybersecurity compared to other industries
Healthcare had the highest overall average security rating of 730. Of the companies that received advanced security performance ratings, 33% were in the financial services sector, with an average rating of 720.
By comparison, 24% of companies with a basic security performance rating were in the industrial sector, and the sector with the lowest overall performance rating was the communications sector at 630.
“Our research shows that market-leading companies that prioritize cyber risk management outperform their industry peers,” said Derek Vadala, Chief Risk Officer at Bitsight. . “We cannot achieve this without a deep understanding of cybersecurity performance and clear benchmarks shared across management and the board. The role of the CISO has changed. It's an element.”
