For the fifth consecutive year, companies are devoting more time and money to cybersecurity, according to a survey of public companies by BDO USA LLP.
Cybersecurity is an ongoing preparedness issue for the oil and gas industry, as evidenced by appeals from several trade associationsand the federal government, including the Federal Energy Regulatory Commissionand the Department of Energy. The agencies investigated a series of cyberattacks directed at U.S. natural gas pipelines earlier this year.
The2018 Cyber Governance Surveyby BDO also found that 75% of corporate directors reported that their public companies increased their capital investment in cybersecurity over the past 12 months. BDO surveyed 145 directors in July and August. BDO informed NGIthat their survey did not include a breakdown of the type of public company.
"Developing a strategic path for an organization's digital transformation and devoting company resources and board oversight to cybersecurity and data privacy are now necessities for businesses to survive and thrive during this time of intense change," said BDO'sAmy Rojik, national assurance partner and director of the firm's Center for Corporate Governance and Financial Reporting. She added that this year's survey "reveals how public company board directors increasingly recognize...mitigating vulnerabilities related to cyber risk."
The survey found that about eight-in-ten of companies surveyed claim they have avoided a data breach or incident in the past two years. Another 72% of respondents said their board is more involved with cybersecurity now than they were a year ago, and 79% said their companies have an incident response plan in place to respond to potential cyber attacks.
"With boards increasingly more involved in discussions around cybersecurity, especially due to regulatory changes and the potential for reputational damage, the cadence of reporting on cybersecurity is increasing," BDO said.
According to the survey, nearly one-third of respondents, or 32%, said they are briefed at least quarterly on cybersecurity, while another 32% are briefed annually. But 9% said they were not being briefed at all.
BDO said government regulation, includinginterpretive guidanceissued last February by the U.S. Securities and Exchange Commission (SEC), was driving public boards to tackle cybersecurity matters. The SEC guidance was designed to assist public companies in preparing disclosures about cybersecurity risks and incidents.
Fifty-eight percent of the respondents said they had conducted readiness testing of cybersecurity risk management programs, while 53% said new policies or procedures had been implemented.
"Additionally, about one-third of companies, or 34%, have conducted a formal audit of their cyber risk management program," BDO said. However, only 7% of respondents have leveraged resources from the Center for Audit Quality, which is affiliated with the American Institute of Certified Public Accountants.
"Despite this, a quarter of organizations surveyed have taken no steps to address the SEC's guidance on cyber disclosure obligations," BDO added.