Corporate board directors

Directors find themselves looking for answers on cyber — and with homework on ESG

Board members realize it’s time to hit the books. According to PwC’s latest Pulse Survey, boards are stepping up their expectations of management in the areas of cybersecurity and climate disclosures and asking for more information. In August, cybersecurity risk concerns featured prominently across the C-suite, with director concerns leading the way. Now, only 32% of board members say they’re completely satisfied with the information they currently receive from management on both cybersecurity and climate risk. Directors want more detailed information more frequently so they can better understand risk.

While boards have made admirable progress in addressing concerns around ESG, coming regulation on climate risk disclosures may be a wild card. As climate regulations loom large, board members recognize they still have a lot to learn. If your company has a global footprint, understanding complex international regulations may be a game changer.

Board members want to know what’s behind the cyber reporting curtain

While overall reporting has left board members (86%) satisfied, only 32% of directors are completely satisfied with the information they receive from management on cybersecurity. Further digging reveals that many companies have not received decision-useful board reporting or employed adequate crisis response planning. With cybersecurity considered a top business risk, there’s room for improvement.

According to our August Pulse Survey, 53% of executives say their companies will increase their investment in digital transformation. But as a company’s digital footprint continues to grow, and as threat actors become more sophisticated, cyber risk also climbs. In March 2022, the SEC proposed to enhance and standardize cybersecurity disclosures, requiring that the registrant’s board of directors oversee cybersecurity risk. Coupled with impending SEC rule changes, this puts even greater demands on board oversight. 

When asked what management has done, 55% of directors say management has performed a tabletop exercise to prepare for a material cyber breach and 52% say that management has enhanced third-party risk management to include questions and/or requirements around cybersecurity risk. Because these are areas that are so critical to cyber attack resilience, these figures indicate that many companies could improve their processes. 

Yet, even with increased reporting, boards want better information. Less than half of board members (46%) say they’re receiving consistent, decision-useful CISO reporting to understand progress on key cyber risks. That information is mission critical in preparing for a cyber breach. Companies need a written incident response plan and should test that plan periodically. In addition, 65% of directors say that their companies have increased investment in cybersecurity infrastructure. Reporting should include clear explanations of how these investments will bolster company defenses.

Although boards overall appear satisfied with reporting, they’re asking for specifics on cybersecurity. Thirty-six percent say management has increased the frequency of CISO reporting. We have also seen an increase in private sessions with the CISO, although this is an emerging area, with 42% of board members reporting that they’re meeting with the CISO in private — a move that only a few years ago rarely happened, if at all.

What you can do

• Make sure that you’re meeting with the CISO regularly — both formally and informally. This can help improve your understanding of cyber issues. Make sure the CISO has enough time on the agenda and that you’re hearing from the CISO at least quarterly.
• Demand that reporting is holistic and robust enough to provide a substantive overview of the company’s key cyber risks. Be proactive by asking questions, diving below the surface on topics critical to building trust and providing transparency to stakeholders.

This is not a drill: Upskilling on cybersecurity is a must across the company

Only 19% of board members say their companies have recruited board members with specific cybersecurity and technology skills. Cybersecurity is technical, evolves quickly and requires transparency. Proper oversight warrants continued updating and education on cybersecurity — including insights on the latest threats, regulatory activity and company maturity level. Increased reporting and education on these topics can help board members improve oversight and governance. Just over half (51%) of directors say management has provided the board with internal and external education about cybersecurity.

Education goes beyond the boardroom, however. The workforce should understand the potential cybersecurity risks facing the company, including cyber risk in their roles. Management should focus on building cyber awareness into company culture. More than two-thirds of board members (68%) are seeing management connect the dots and provide this enhanced training for employees.

What you can do

• Understand that cybersecurity threats are no longer solely the domain of the CISO. Make sure cybersecurity is a top priority for your board. 
• Start by making sure board members have access to education opportunities and resources around cyber that are current.
• Encourage management to promote cybersecurity training across the enterprise.

Check yourself: Do you understand the impact of climate and sustainability disclosure requirements?

Keeping up on new and proposed sustainability reporting requirements around the world poses serious challenges for boards. Almost two-thirds (65%) of directors say they know how proposed SEC climate disclosure requirements will affect their companies. But when it comes to knowledge of broader EU Corporate Sustainability Reporting Directive (CSRD) requirements for companies with a global footprint, that figure drops to 35%.

The proposed SEC rules are long and complex, and they will affect every public company in the US. Our survey shows that companies are preparing. A majority (65%) of board members say they’re familiar with how the SEC rules would impact the company and 70% say management has performed a gap assessment of the company’s current climate risk disclosures. Almost two thirds (64%) say the company's processes and controls over ESG information are adequate. 

Awareness and preparation both drop when it comes to the new EU requirements. More than half (54%) of directors are either unsure or don’t understand if their company needs to comply with CSRD and 52% are either unsure or don’t understand how their company will be impacted. This is problematic because CSRD is much broader than climate, making it harder for companies (and boards) to catch up. 

The EU has considered materiality from two perspectives — the impact of sustainability matters on the company as well as the impact of the company on people and the environment. But this concept of double materiality is poorly understood. Most board members (59%) either don’t understand or are unsure what double materiality means.

What you can do 

• Keep up to date on proposed climate, social and other global sustainability reporting requirements, both in the US and abroad.
• Don’t let a lack of awareness and education result in compliance failures. If your company has a global footprint, make sure that management is providing you with a clear explanation of how international regulations will impact your company. 
• Don’t be caught off-guard. Maintain open communication with management on both the timing and impact of the coming climate and other sustainability reporting requirements. This way, you can help confirm that management — and the entire board — are prepared.