BDO survey: Boards strive to keep pace with digital transformation

Digital transformation initiatives are making their way to the top of boardroom agendas, according to findings from a new cyber-governance survey.

The findings from BDO USA’s 2018 Cyber Governance Survey signal that new regulations and emerging risks are driving boards to reevaluate corporate strategy and investments and that many boards today are working to better understand data privacy regulation.

“Developing a strategic path for an organization’s digital transformation and devoting company resources and board oversight to cyber-security and data privacy are now necessities for businesses to survive and thrive during this time of intense change,” said Amy Rojik, national assurance partner and director of BDO’s Center for Corporate Governance and Financial Reporting.

Conducted annually through the BDO Center for Corporate Governance and Financial Reporting, the survey measures the opinion of public company directors regarding timely and relevant corporate governance and financial reporting issues. This year, the survey was based on the opinions of 145 corporate directors, who provided their insights on how their boards are investing in digital capabilities, prioritizing cyber-security threats, and assessing digital privacy risks.

Digital transformation. According to the survey, 66 percent of public-company board directors said their organization either has a digital transformation strategy in place or is planning to develop one, “suggesting that digital transformation initiatives have transcended beyond the sole domain of IT to involve the entire organization,” BDO said. But while companies are making ad-hoc investments in digital, many have not yet set a digital transformation strategy into motion, given that 34 percent of respondents indicated that their organization has no digital transformation strategy currently and does not intend to develop one in the near term.

“Digital transformation is predicated on the foresight to re-imagine business five years into the future and then work backwards,” said Malcolm Cohron, BDO USA’s national digital transformation services leader. “The board of directors plays a critical role in catalyzing strategic planning for the long-term view. As the pace of change accelerates and the timeline of ‘long-term’ is shrinking, organizations that live solely in the present are already operating in the past.”

With or without a concrete strategy in place, boards are taking steps to address technology disruption, as revealed in the following findings:

45 percent have increased capital allocation toward digital initiatives and 29 percent have hired board members with relevant oversight skills.

16 percent of board directors have introduced new metrics for enhanced business insight.

Meanwhile, 29 percent of respondents said they have not taken any of these steps to address technology disruption, “which may point to organizations overlooking significant opportunities and underestimating critical risks to their business,” BDO said.

Cyber-security. Corporate board members must ensure their organization develops a complete picture of its cyber-security risks and adopts a threat-based cyber-security strategy in alignment with an existing enterprise risk management framework. In terms of capital investments, 75 percent of directors said their organization has increased its investment in cyber-security during the past 12 months—the fifth consecutive year that board members have reported increases in time and dollars devoted to cyber-security, BDO said.

The findings also revealed that public-company boards are becoming more involved in cyber-oversight. In fact, 72 percent of board members said the board is more involved with cyber-security now than they were a year ago.

With boards increasingly more involved in discussions around cyber-security, especially due to regulatory changes and the potential for reputational damage, the cadence of reporting on cyber-security is increasing. In fact, 32 percent of board members say they are briefed at least quarterly on cyber-security, while 32 percent are briefed annually. Nine percent of boards said they are not being briefed on cyber-security at all.

Regulation is also driving cyber-security activity for public-company boards. In the wake of this year’s SEC interpretive guidance to assist public companies in preparing disclosures about cyber-security risks and incidents, 58 percent of board directors indicated that their company has conducted readiness testing of cyber-security risk management programs, and 53 percent said they’ve implemented new cyber-security risk management policies or procedures. A quarter of organizations surveyed, however, have taken no steps to address the SEC’s guidance on cyber-disclosure obligations.

Additionally, 34 percent of respondents said their organizations have conducted a formal audit of their cyber-risk management program, but just seven percent have leveraged the Center for Audit Quality’s Cybersecurity Risk Management Oversight: A Tool for Board Members.

Data privacy. In recent years, the explosion of data has created new, unprecedented business challenges, including increased risk and cost. The European Union’s General Data Protection Regulation (GDPR), which took effect on May 25, is the most significant overhaul to the EU’s data privacy policies in over twenty years.

Among respondents who said they have been impacted, 78 percent report their organization has conducted a GDPR gap assessment. Another 78 percent have implemented or updated privacy notices, and 43 percent have updated their breach notification policies.

Just under one-third (32 percent) report increasing data privacy budgets, while another 32 percent have appointed a data protection officer, a requirement under the GDPR for organizations that engage in certain types of data processing activities.

Conversely, 69 percent of board directors said the GDPR has not impacted their company. “Chances are, many of them are wrong,” BDO said. “More muted reported impact among corporate directors may reflect lack of awareness or misunderstanding that still underlies many aspects of this new regulation.”

Concludes BDO: “Although we have seen an uptick in U.S. companies that have conducted GDPR assessments and updated privacy notices, there is still a lot of work to do. U.S. companies still seem to fall short of building a culture of privacy.”