Board expertise evolves with the times. Just consider that two decades ago, financial experts on corporate boards were a rarity. Today every public company board has designated at least one financial expert, because the Sarbanes-Oxley Act mandates it.
This article is from the July-August 2024 edition of ABA Banking Journal Directors Briefing. Subscribe here.
The Securities and Exchange Commission decided otherwise in 2023, when it dropped a proposal to require public companies to disclose which, if any, of their board directors had significant knowledge of or experience in cybersecurity. The National Association of Corporate Directors applauded that move, calling it unduly prescriptive.
But Zukis calls the decision “a mistake.” Whether they’re required to disclose it or not, bringing cyber expertise onto the board is particularly important for financial services companies, he adds, because “the sector is one big, highly connected information system.”
A recent ABA Banking Journal article identified third-party risks, AI-enabled phishing and ransomware—seizing an organization’s data and finances—as some of the rising cyber threats facing banks. The article noted that more than 800,000 cybercrimes were reported in the U.S. in 2022.
Banks have recognized for years the need to increase their board technology expertise, and they’re doing it. Bank Director’s 2023 technology survey found that 51 percent of participants said their board has at least one member they would consider to be a technology expert. Among those who did not, 38 percent said they were actively seeking a director with technology expertise.
But being knowledgeable about the broad domain of technology is not the same as being well-versed in cybersecurity, which is a specialized and rapidly evolving discipline. Large companies, Zukis notes, are recognizing this, and some are creating technology and cyber committees with directors who can understand the upside of IT and how to protect the downsides.
“Having a director with cybersecurity expertise on a board is a high-return, low-effort action that materially strengthens the boardroom as a control in the cybersecurity system,” Zukis says.
Where cybersecurity oversight doesn’t belong, Zukis declares, is the audit committee—which is where it often ends up: “Audit is the kitchen junk drawer of corporate governance. Don’t know where to put it? Throw it in there. We think that’s a leading bad practice, because there’s a skills and scope misalignment.” Audit’s focus is financial, and cybersecurity probably can’t get the attention it needs there.
Of course, it’s relatively uncommon for small banks to even have a board technology committee. Directors Briefing’s admittedly unscientific review of bank committee structures finds board technology committees start to crop once banking companies cross the $10 billion asset threshold.
Zukis says the risk committee is a good place for smaller banks to place oversight of cybersecurity. And he urges them to keep looking for cyber experts.
“Something on the order of 60 percent of global GDP is derived through digital systems,” Zukis says. “We don’t have a choice but to govern and understand these issues.”
Zukis leads Digital Directors Network, an organization for IT, cybersecurity and boardroom leaders he formed seven years ago to advance the practice and profession of digital and cybersecurity oversight.
