Advanced cybersecurity performance translates to higher shareholder returns

April 08, 2024 - Strong cybersecurity performance in healthcare is crucial for ensuring patient safety and operational continuity at all times, especially during a cybersecurity incident. But new research shows that the strength of an organization's cybersecurity program is directly tied to financial performance as well.

Companies with advanced cybersecurity performance over a five-year and three-year period delivered an average total shareholder return (TSR) of 71 percent and 67 percent, respectively, according to a new report from Diligent Institute and Bitsight. Peers who scored in the basic cybersecurity performance range delivered 37 percent and 14 percent TSR, comparatively.

Diligent Institute and Bitsight analyzed data from more than 4,000 organizations across multiple sectors. Researchers created methods to assess board oversight of cybersecurity and to categorize organizations into basic, intermediate, and advanced security performance classifications.

Following this methodology, the researchers found that highly regulated industries, such as healthcare and finance, outperformed other industries in terms of cybersecurity performance. Of all the analyzed sectors, healthcare had the highest average security rating.

In addition to the observed relationship between cybersecurity performance and shareholder return, researchers detected a correlation between board structure and security ratings. Companies with specialized risk committees performed significantly better than those without.

“One possible explanation is that delegating oversight of complex areas of risk – like cyber – allows for more detailed focus by select members of the board,” the report stated.

“Committees are better positioned to dive deep into specific cybersecurity issues and they can develop stronger relationships with the executives charged with the day-to-day cybersecurity operations. This, in turn, can lead to better cybersecurity-related policy, budget and other decisions being made at the board level.”

These findings highlighted the importance of board-level buy-in for cybersecurity. However, the having cyber experts present on the board, while helpful, may not lead to improved cybersecurity performance on its own, previous research from Diligent Institute and NightDragon showed.

Rather, the researchers suggested that incorporating these experts into existing structures used to manage risk, such as the previously mentioned specialized risk committees, may have a notable positive impact on security performance.

“Companies seeking to hire cybersecurity expertise for the board should first ensure that the board is appropriately organized so that expertise can be properly incorporated into the oversight mechanisms,” the report suggested.

Overall, the research showed that healthcare and other highly regulated industries understand the importance of cybersecurity in their sectors, and are taking action to improve it from the board level.

“These findings show that cybersecurity is not just an IT problem — it is an enterprise risk that has material impact on a company’s near-term performance and long-term health, and one that management and the board needs to be up to speed on,” said Dottie Schindlinger, Executive Director of the Diligent Institute.

“With increased pressure from regulators for organizations to demonstrate how they oversee cybersecurity, now is the time for boards and leaders to build their competency around cyber risk.”