Every year, Corporate Board Member and Spencer Stuart collaborate to survey directors of publicly traded companies to check their pulse on the challenges and best practices of corporate directorship in the United States.
This year, we found that one thing is on the minds of directors more than anything else: technology, particularly keeping pace with the unprecedented rate of disruptive change brought about by the digital revolution. In fact, cybersecurity and disruptive innovations are the two main issues that would be on the agenda if directors had the opportunity to bring in a panel of experts to provide additional insights.
The reality is that the skills to help overcome the fear of tech inadequacy remain in short supply for boards, as their main strengths continue to center around strategy and finance. Only 12 percent of directors in our study listed IT as one of the skills they bring to their boardroom.
“Demand for financial backgrounds has been growing in recent years, and 29 percent of new S&P 500 directors are active or retired executives with banking, finance, investment or accounting credentials, compared with 19 percent in 2007,” says Julie Hembrock Daum, who leads the North American Board Practice at Spencer Stuart. “In particular, we are seeing an increase in directors coming from investing and investment management, which account for 13 percent of new directors, up from 5 percent a decade ago.”
“boards have a challenge on their hands: revisiting their committee structure or renewing their skillsets.”
It is clear from talking with directors that cybersecurity not only remains a top concern but may also be intensifying. In last year’s survey, 78 percent of directors told us they felt additional regulation would have little effect in curbing cyber attacks and would overburden companies and their boards. This year, 20 percent say that high-profile breaches, especially those that occurred at Equifax, the SEC and Uber, have convinced them to change their stance in favor of more cyber regulation, enough to have tipped the scale in support of increased regulation in that area.
But a problem persists: At many companies the audit committee has been overburdened for some time now. And with an increasing number of issues falling within its purview, some are calling for shifting risk oversight out of the audit committee’s scope of responsibility, either by creating a pure risk committee, making risk a full-board responsibility or periodic rotating committee chairs and members.
According to Daum, S&P 500 boards have already begun reshaping their committee structures. “New committees are emerging, and several have become more prevalent in the past 10 years, including risk; science and technology; and environment, health and safety committees. In 2007, for example, 5 percent of boards had a science and technology committee, compared with 10 percent today.”
Innodata’s audit chair and member of both compensation and GovNom committees, Louise Forlenza, agrees with the new trend toward creating new, more focused committees. “The audit committee should not carry the full burden of cybersecurity,” she tells Corporate Board Member. “Cybersecurity and IT have become such an important part of any company…The audit committee should work with the IT committee—which I believe is a necessary committee on all boards—so both committees can be aware of each other’s work, processes, concerns and overall strategies. So, if and when an incident occurs, they already have familiarity with each other’s work.”
But it’s setting up to be an uphill battle, as 82 percent of the directors we polled don’t see the need for a distinct cyber risk committee. “While cybersecurity is a major risk for most companies,” said Taylor Simonton, chair of the audit committee and member of both compensation and Gov/Nom committees at Advanced Emissions Solutions, an energy company located in Colorado, “other significant risks will continue to arise, and they must be addressed at the board level, not necessarily by a separate committee each time one appears.”
It seems like boards have a challenge on their hands: revisiting their committee structure or renewing their skillsets. Either way, investors and regulators are pressing for change to stifle the growing threats of the cyber world.