Cybersecurity preparedness and financial success are strongly correlated with companies that maintain strong security measures, outperforming peers with only basic defenses by as much as 372% in shareholder returns, according to a report by Diligent and Bitsight.
The report, which analyzed data from more than 4,000 global companies, found that over a three-year period, the average total shareholder return for companies with advanced security performance ratings was 67%, compared to 14% for companies with only basic ratings.
Over a period of five years, companies in the advanced performance range showed an average total shareholder return of 71%, while those in the basic performance range recorded an average return of 37%.
“Some of the companies with high cybersecurity scores are in high-growth sectors, such as technology, that have had strong financial performance over the last several years,” the report’s authors said. “Additionally, the improved performance may also stem from the fact that companies in the advanced security performance bracket also possess robust governance fundamentals.”
While it might be a stretch to draw a direct link between better financial performance and good cybersecurity, “we know that the insurance industry is beavering away to pool actuarial data together,” Gareth Lindahl-Wise, CISO of managed detection and response provider Ontinue, told CSO. “What is indisputable is the positive advantage organizations derive from perceived and actual high levels of cybersecurity performance on reputation.”
Risk and audit committees linked to better cybersecurity performance
The report also found that companies with specialized risk or audit committees demonstrated a more robust cybersecurity performance than those without either. The report’s rating system assessed companies a cybersecurity rating between 250 and 900 — those with specialized risk committees received a median rating of 730 and those with audit committees a median rating of 720.
The report emphasizes the direct involvement of cybersecurity experts within these committees as a critical factor. Companies with cybersecurity experts on either audit or specialized risk committees achieve an average security performance rating of 700, significantly higher than the 580 rating for companies with such experts only on the general board.
The report also highlights that highly regulated industries typically outperform others. The healthcare sector led with an average security rating of 730, while the financial services sector accounted for a significant proportion (33%) of companies that demonstrated advanced security performance, with an average rating of 720. Conversely, 24% of companies with basic security performance came from the industrial sector. The communications sector, according to the report, has the lowest overall performance rating at 630.
Highly regulated companies and industries traditionally adopt cyber programs and best practices more quickly because they’re used to, and better at, managing their risk, said Dave Gerry, CEO of cybersecurity firm Bugcrowd. “Ensuring that they are in compliance with the regulatory requirements they face is in their culture; adding cyber is simply another requirement they need to comply with,” he added.
More board involvement means more internal scrutiny
Companies with audit committees typically fare better than others when it comes to cybersecurity because of internal scrutiny, Lindahl-Wise said. “An informed audit (and more often an audit and risk committee) is more aware and aligned to the actual risks organizations are facing and will hold them to remediation plans than generic risks regulations focus on,” he said. “One envisages that the time to remediation of risks will be quicker with organizations with active audit committees in place.”
Companies with robust cybersecurity measures are not only taking concrete measures to protect their systems and sensitive data, but modern, next-generation solutions can also streamline operations and make employees more efficient, said Patrick Tiquet, vice president of security and architecture at Keeper Security. For example, a digital password manager can autofill passwords and reduce help-desk costs by significantly lowering the number of password-reset requests. “Automating routine tasks like these allows organizations to free up valuable resources they can then direct towards their business growth and strategic initiatives.”