Cybersecurity governance: The board’s secret weapon for unlocking shareholder value
Cybersecurity is no longer a back-office technical concern — it’s a cornerstone of organizational success and resilience. A recent Diligent Institute study of over 4,100 mid-to-large-cap companies across seven countries makes it clear: robust cybersecurity governance is directly tied to financial performance. Boards that actively engage in cybersecurity oversight aren’t just protecting their organizations — they’re driving long-term shareholder value.
The evidence is compelling. Companies with advanced cybersecurity ratings deliver 3.8 times more shareholder value than those with weaker ratings. This finding underscores the need for boards to elevate cybersecurity from a cost center to a strategic investment.
Why board oversight is a game-changer
Strong cybersecurity practices don’t just mitigate risks — they enhance trust, foster innovation, and directly impact the bottom line. Effective board oversight ensures these benefits are realized by embedding cybersecurity into the fabric of an organization’s strategy. Key oversight practices include:
- Establishing specialized risk committees
- Integrating cybersecurity expertise into governance structures
- Customizing approaches based on industry-specific risks and regulatory requirements
Here’s how forward-thinking organizations are strengthening their cybersecurity frameworks:
Specialized risk committees: A foundation for success
Dedicated risk or audit committees with a focus on cybersecurity are becoming essential. These committees enable boards to:
- Focus on the evolving threat landscape.
- Allocate necessary resources.
- Leverage specialized expertise for informed decision-making.
Australian companies in the ASX 300 lead by example: 90% of them have specialized cybersecurity committees. This proactive governance contributes to their superior cybersecurity ratings.
In contrast, Japan’s Nikkei 225 index has room for improvement, with only 3% of companies adopting similar structures. Bridging this gap presents a significant opportunity for Japanese firms to strengthen their defenses and governance.
Cybersecurity expertise at the board level: Moving beyond the token expert
Having cybersecurity experts on the board is a start, but it’s the integration of their expertise into decision-making that delivers real impact.
- France’s CAC 40 companies excel in this regard, with 10% of boards incorporating cybersecurity experts.
- On the other hand, Australia, Canada, and Japan lag, with only 1-2% of boards including such expertise.
By embedding these specialists into cybersecurity oversight committees, companies ensure that their boards remain well-informed and proactive against emerging threats.
Industry variations: Regulations as a driving force
Regulatory frameworks play a pivotal role in cybersecurity performance. Highly regulated industries — such as finance or healthcare — consistently outperform others, thanks to stringent compliance requirements.
However, even within the same industry, geographic disparities remain:
- Countries like Australia, Canada, the UK, and the US show higher average cyber ratings when specialized committees are in place.
- Japan, despite having such committees, trails in average security performance, suggesting that committee structures alone are insufficient without complementary regulatory rigor and cultural shifts.
This highlights the need for organizations to adopt holistic approaches — combining oversight structures, industry-specific strategies, and robust compliance practices.
Recommendations for enhanced board oversight
To capitalize on these insights, boards should act decisively:
- Create specialized risk committees
Assign dedicated committees to oversee cybersecurity. Empower them with the expertise and resources needed to address risks head-on and stay ahead of threats. - Incorporate cybersecurity experts into governance
Go beyond having a single expert on the board. Actively involve them in committees where their insights can shape policy and strategy. - Benchmark performance regularly
Compare your organization’s cybersecurity posture against peers and industry standards. Use these benchmarks to identify gaps and refine strategies.
In a digital-first world, cybersecurity is a board-level priority that demands attention, expertise, and action. By embracing these best practices, boards can strengthen their organizations’ defenses, protect shareholder value, and ensure sustained success in the face of evolving cyber threats.
The message is clear: cybersecurity isn’t just about avoiding risk — it’s about unlocking opportunity and driving growth. Is your board ready to lead the charge?
Cybersecurity governance starts here
The Cyber Risk Virtual Summit (February 5-6, 2025) is an unmissable event for leaders committed to shaping the future of cybersecurity governance. This free, global gathering spans the Americas, EMEA, and Asia-Pacific, bringing together the brightest minds in cybersecurity to share the latest insights on emerging threats, trends, and governance strategies.
Gain critical knowledge on how to effectively manage and communicate cyber risks at the highest levels of your organization, and learn how to elevate cyber risk to a strategic priority for your board and leadership team.
Secure your spot today and join us in defining the future of cybersecurity governance.
- Register for the AMERICAS event here (February 5, 2025)
- Register for the EMEA event here (February 5, 2025)
- Register for the APAC event here (February 6, 2025)
More to explore
SEC cyber rules: Essential knowledge for boards and executives
Learn what the SEC's cybersecurity disclosure rules mean for your board and organization.
5 steps to stronger cyber oversight and action: Running tabletop exercises for your board
Enhance your board's cybersecurity readiness with tabletop exercises. Discover key steps for effective practice, ensuring your team is prepared for cyber threats.
Cybersecurity and the Evolving Role of Boards
Learn a 3-step framework for evaluating board security for your boardroom and see how you can protect your board and your company.
