Digital transformation initiatives have transcended beyond the sole domain of IT to involve the entire organization, elevating digital strategy to the top of the board agenda, according to BDO USA, LLPs 2018 Cyber Governance Survey. The survey results, released today, signal how new regulations and emerging risks are driving boards to reevaluate corporate strategy and investments. In addition, most directors indicated that their boards are working to better understand data privacy regulation.
Developing a strategic path for an organization’s digital transformation and devoting company resources and board oversight to cybersecurity and data privacy are now necessities for businesses to survive and thrive during this time of intense change, said Amy Rojik, national assurance partner and director of BDOs Center for Corporate Governance and Financial Reporting. BDO’s Cyber Governance Survey this year reveals how public company board directors increasingly recognize the competitive advantages of embracing a digital transformation strategy and mitigating vulnerabilities related to cyber risk.
Conducted annually through the BDO Center for Corporate Governance and Financial Reporting, the survey measures the opinion of public company directors regarding timely and relevant corporate governance and financial reporting issues. Survey participants provided their insights on how boards are investing in digital capabilities, prioritizing cybersecurity threats and assessing digital privacy risks.
In the world of business, the goals to disrupt, innovate, and transform have become daily pursuits of organizations. However, while organizations may be making ad-hoc investments in digital, many have not yet set a digital transformation strategy into motion.
- In fact, about one-in-three respondents (34 percent) say their organization has no digital transformation strategy currently and does not intend to develop one in the near future.
- Two-thirds (66 percent) of public company board directors say their organization either has a digital transformation strategy in place or is planning to develop one.
Malcolm Cohron, BDO USAs national Digital Transformation Services leader, stated, Digital transformation is predicated on the foresight to re-imagine business five years into the future and then work backwards. The board of directors plays a critical role in catalyzing strategic planning for the long-term view. As the pace of change accelerates and the timeline of ˜long-term is shrinking, organizations that live solely in the present are already operating in the past.
With or without a concrete strategy in place, boards are taking steps to address technology disruption:
- Almost half (45 percent) have increased capital allocation toward digital initiatives and 29 percent have hired board members with relevant oversight skills.
- Another 16 percent of board directors have introduced new metrics for enhanced business insight.
- Meanwhile, nearly one-in-three respondents (29 percent) said they have not taken any of these steps to address technology disruption, which may point to organizations overlooking significant opportunities and underestimating critical risks to their business.
For all the doors digital innovation opens, it also invites a host of new threats in the form of increasingly sophisticated cyber attacks. Corporate board members must ensure their organization develops a complete picture of its cybersecurity risks and adopts a threat-based cybersecurity strategy in alignment with an existing enterprise risk management framework. This is the fifth consecutive year that board members have reported increases in time and dollars devoted to cybersecurity. In terms of capital investments, 75 percent of directors say their organization has increased its investment in cybersecurity during the past 12 months.
- While about eight-in-ten (79 percent) companies surveyed claim they have avoided a data breach or incident in the past two years, public company boards are becoming more involved in cyber oversight. In fact, 72 percent of board members say the board is more involved with cybersecurity now than they were 12 months ago.
- Furthermore, eight-in-ten (79 percent) companies have an incident response plan in place to respond to potential cyber attacks.
With boards increasingly more involved in discussions around cybersecurity, especially due to regulatory changes and the potential for reputational damage, the cadence of reporting on cybersecurity is increasing.
- Close to one-third (32 percent) of board members saying they are briefed at least quarterly on cybersecurity, while 32 percent are briefed annually.
- However, nine percent of boards are not being briefed on cybersecurity at all.
In addition to precautionary measures, regulation is driving cybersecurity activity for public company boards, as well. In the wake of this years SEC interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents, more than half of board directors indicate their company has conducted readiness testing of cybersecurity risk management programs (58 percent) and implemented new cybersecurity risk management policies or procedures (53 percent).
- Additionally, about one-third of companies (34 percent) have conducted a formal audit of their cyber risk management program, but just seven percent have leveraged the Center for Audit Qualitys Cybersecurity Risk Management Oversight: A Tool for Board Members.
- Despite this, a quarter of organizations surveyed have taken no steps to address the SECs guidance on cyber disclosure obligations.
In recent years, the explosion of data has created new, unprecedented business challenges, including increased risk and cost. The European Unions General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, is the most significant overhaul to the EUs data privacy policies in over twenty years. Among respondents who say they are impacted:
- Seventy-eight percent report their organization has conducted a GDPR gap assessment, another 78 percent have implemented or updated privacy notices, and 43 percent have updated their breach notification policies.
- Just under one-third (32 percent) report increasing data privacy budgets, while another one-third (32 percent) have appointed a Data Protection Officer, a requirement under the GDPR for organizations that engage in certain types of data processing activities.
Conversely, more than two-thirds of board directors (69 percent) said their company is not impacted by the GDPR. Chances are, many of them are wrong. More muted reported impact among corporate directors may reflect lack of awareness or misunderstanding that still underlies many aspects of this new regulation. Although we have seen an uptick in U.S. companies that have conducted GDPR assessments and updated privacy notices, there is still a lot of work to do. U.S. companies still seem to fall short of building a culture of privacy.
About the BDO Board Survey
Conducted in July and August 2018, this years survey examines the opinions of 145 corporate directors of public company boards. BDO USAs Corporate Governance Practice is a valued business advisor to corporate boards. The firm works with a wide variety of clients, ranging from entrepreneurial businesses to multinational Fortune 500 corporations, on myriad accounting, tax, risk management and forensic investigation issues.
About BDO USA
BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, and advisory services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through more than 60 offices and over 550 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of 73,800 people working out of 1,500 offices across 162 countries.
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: www.bdo.com.
Bliss Integrated Communication