Banks recognise the importance of tackling cybersecurity risks and spend billions of dollars to this end, however, their boards lack the necessary expertise to oversee cyber risks. Our report, Cyber expertise on the boards of US banks, explores the profile of cyber experts on US bank boards using disclosures for the financial year ending on 31 December 2017. Below are the key takeaways from the report:
1. Cyber-related expertise among NEDs of US banks remains low. Only 4% of non-executive directors serving on the board of 30 of the biggest US banks had executive experience in roles with responsibility over matters of cybersecurity. However, 22 banks state in their disclosures that at least one of their non-executive directors has cyber/technology expertise.
2. Only 12 of the 30 banks covered in the report have appointed a NED with executive experience in cybersecurity.
3. NEDs with executive experience in cybersecurity are more likely to hold a full-time position at another company than other non-executive directors. However, their board workload is higher than that of other directors.
4. Banks have appointed more cyber experts to their boards in recent years. The average tenure of NEDs with executive experience in cybersecurity roles is almost four years lower than the average tenure of other NEDs.
5. More than two-thirds of NEDs with executive experience in cybersecurity are risk committee members.
Lack of adequate expertise prevents boards from effectively monitoring how cybersecurity risks are being managed. Banks have the difficult task of appointing individuals who are not only cyber experts, but also possess board-level experience.