Get in touch

Board Insights: S&P500 companies lack cybersecurity and technology expertise on their boards.

September 25, 2023

In a recently published study of cybersecurity and technology expertise on S&P 500 Boards, only 12% of S&P500 companies had a “cyber expert” on the board, and only 31% had any board member with technology expertise. The study was undertaken by NightDragon and Diligent and reviewed the S&P 500 organizations and the Board of Directors and their backgrounds. The “State of Cyber Awareness in the Board Room” report and results were endorsed by ISC2, NYSE, Glass Lewis, Moody’s, and Spencer Stuart.

Just as financial literacy is considered an important qualification for board members, in 2023 cybersecurity and technology expertise is rapidly becoming a need-to-have on corporate boards. Today’s companies are not only technology driven, they are also increasingly under attack from cybercriminals. Corporations have an obligation to shareholders to mitigate risk to their organization, and managing cybersecurity risks is an important and essential part of corporate governance.

The larger the company, the larger the target for cyberattack. This month, MGM Resorts, an S&P 500 company listed on the NYSE, was the victim of a cyberattack that significantly affected its online business operations including hotel booking and gaming. The MGM Resorts portfolio includes over 31 hotels and gaming destinations, including the Bellagio, MGM Grand and Mandalay Bay in Las Vegas. It took the company 10 days to get services back online. While the attack is still under investigation, early reports point to social engineering being used to impersonate an employee and gain access to the administration of online services. The cost to MGM Resorts of the attack are significant, and still being assessed, however the losses have been estimated in the range of $80 million.

Looking at the MGM Resorts Board of Directors, the 11 member board is dominated by accomplished business executives, however none appear to be technology or cybersecurity experts. Given the recent cyberattack, adding cybersecurity and technology expertise to the board should be a priority not only for MGM Resorts, but also the other 70% of the S&P 500 companies who currently lack board members with this expertise.

There is some encouraging news from Spencer Stuart, who have seen an increase in the number of nominating/governance committee chairs seeking cyber expertise. In their 2023 survey, 19% of respondents (up from 8% in 2022) indicated they are seeking cyber expertise, and 60% of respondents identified cybersecurity as a topic beneficial for director development.

Boards looking to augment their tech and cybersecurity expertise need to find board candidates who have a strong grasp of cybersecurity and technology combined with business and financial acumen. While CISOs are “cyber experts” they also need business expertise to take a board seat. C-Suite executives from cybersecurity companies broaden the pool of board candidates and offer a strong combination of cybersecurity and business expertise. While it is beneficial for all board members to have a basic level of training in cybersecurity, given the sophistication of cybercrime it is important for boards to add board members with direct cybersecurity and technology experience.

Firstboard.io strongly supports the results of this new report by Diligent and NightDragon and the need to add cybersecurity and technology expertise at the Board level. Firstboard is a collective of highly accomplished female technology leaders, many with relevant cyber security expertise, who are ready to serve on corporate boards.

We encourage any company looking to add cybersecurity and technology expertise to their board to reach out to Firstboard.io

+1 415-851-3446, contact@firstboard.io

Further Resources

The National Association of Corporate Directors (NACD) has an excellent publication entitled 2023 Director’s Handbook of Cyber-Risk Oversight

About the Author

Paula Skokowski has more than fifteen years of cybersecurity experience bringing to market industry leading security solutions at Shape Security, Yubico, and Incognia. She is the author of the first industry report on Credential Stuffing and is experienced in security vulnerability reporting and communication. She is a highly accomplished business leader and early employee at five VC-backed technology startups across cybersecurity, fraud, AI, robotics and IoT, resulting in three IPOs, and one $1B acquisition. Paula is a Co-Founder and Fund Manager for the Oxford Angel Fund and is a GTM Advisor to early-stage companies. Paula holds a Bachelor's degree in Engineering Science from the University of Oxford and an MSc in Robotics from UC Berkeley. She part of the Leadership Council of Firstboard.io, working to add diversity to corporate boards, and is a member of the University of Oxford Alumni Board.