Cybersecurity governance: The board’s secret weapon for unlocking shareholder value

Cybersecurity is no longer a back-office technical concern — it’s a cornerstone of organizational success and resilience. A recent Diligent Institute study of over 4,100 mid-to-large-cap companies across seven countries makes it clear: robust cybersecurity governance is directly tied to financial performance. Boards that actively engage in cybersecurity oversight aren’t just protecting their organizations — they’re driving long-term shareholder value.

The evidence is compelling. Companies with advanced cybersecurity ratings deliver 3.8 times more shareholder value than those with weaker ratings. This finding underscores the need for boards to elevate cybersecurity from a cost center to a strategic investment.

Why board oversight is a game-changer

Strong cybersecurity practices don’t just mitigate risks — they enhance trust, foster innovation, and directly impact the bottom line. Effective board oversight ensures these benefits are realized by embedding cybersecurity into the fabric of an organization’s strategy. Key oversight practices include:

• Establishing specialized risk committees
• Integrating cybersecurity expertise into governance structures
• Customizing approaches based on industry-specific risks and regulatory requirements

Here’s how forward-thinking organizations are strengthening their cybersecurity frameworks:

Specialized risk committees: A foundation for success

Dedicated risk or audit committees with a focus on cybersecurity are becoming essential. These committees enable boards to:

• Focus on the evolving threat landscape.
• Allocate necessary resources.
• Leverage specialized expertise for informed decision-making.

Australian companies in the ASX 300 lead by example: 90% of them have specialized cybersecurity committees. This proactive governance contributes to their superior cybersecurity ratings.

In contrast, Japan’s Nikkei 225 index has room for improvement, with only 3% of companies adopting similar structures. Bridging this gap presents a significant opportunity for Japanese firms to strengthen their defenses and governance.

Cybersecurity expertise at the board level: Moving beyond the token expert

Having cybersecurity experts on the board is a start, but it’s the integration of their expertise into decision-making that delivers real impact.

• France’s CAC 40 companies excel in this regard, with 10% of boards incorporating cybersecurity experts.
• On the other hand, Australia, Canada, and Japan lag, with only 1-2% of boards including such expertise.

By embedding these specialists into cybersecurity oversight committees, companies ensure that their boards remain well-informed and proactive against emerging threats.

Industry variations: Regulations as a driving force

Regulatory frameworks play a pivotal role in cybersecurity performance. Highly regulated industries — such as finance or healthcare — consistently outperform others, thanks to stringent compliance requirements.

However, even within the same industry, geographic disparities remain:

• Countries like Australia, Canada, the UK, and the US show higher average cyber ratings when specialized committees are in place.
• Japan, despite having such committees, trails in average security performance, suggesting that committee structures alone are insufficient without complementary regulatory rigor and cultural shifts.

This highlights the need for organizations to adopt holistic approaches — combining oversight structures, industry-specific strategies, and robust compliance practices.

Recommendations for enhanced board oversight

To capitalize on these insights, boards should act decisively:

1. Create specialized risk committees Assign dedicated committees to oversee cybersecurity. Empower them with the expertise and resources needed to address risks head-on and stay ahead of threats.
2. Incorporate cybersecurity experts into governance Go beyond having a single expert on the board. Actively involve them in committees where their insights can shape policy and strategy.
3. Benchmark performance regularly Compare your organization’s cybersecurity posture against peers and industry standards. Use these benchmarks to identify gaps and refine strategies.

In a digital-first world, cybersecurity is a board-level priority that demands attention, expertise, and action. By embracing these best practices, boards can strengthen their organizations’ defenses, protect shareholder value, and ensure sustained success in the face of evolving cyber threats.

The message is clear: cybersecurity isn’t just about avoiding risk — it’s about unlocking opportunity and driving growth. Is your board ready to lead the charge?

The Cyber Leadership Playbook

Effective cyber governance starts with alignment. Discover strategies to help CISOs, GCs & boards manage risk with confidence.

Get the Playbookchevron_right