U.S. executives now consider cyberattacks the No. 1 risk companies are confronting, according to a PwC Pulse survey released Thursday. The study shows 40% of top business executives consider cyberattack risk their top concern, followed by talent acquisition at 38%.
Cybersecurity concerns have moved well beyond the office of the CISO or cyber risk officer, as the entire C-suite and corporate boards are focused on the risks of cyberattack.
Almost half of all corporate executives said they are making additional investments in cybersecurity, while slightly more than half of executives said they are increasing investments in digital transformation.
The study furthers a growing trend in the information security space where senior executives and corporate board members have become far more cognizant of the long-term financial and regulatory implications of cyber risk.
The evolution of cybersecurity to the top risk among corporate executives should not be considered a surprise, according to Lucia Milică, global resident CISO at Proofpoint.
“Boards and the C-suite have gradually adjusted their attitudes around cybersecurity, recognizing that it's no longer just an IT problem,” Milică said via email. “Cyber risk equals business risk and threat actors can do irreparable harm to an organization both in terms of financial losses and damaged reputations.”
Major regulatory bodies, from the Securities and Exchange Commission to the Federal Trade Commission and state bodies like the New York State Department of Financial Services, have announced additional disclosure requirements for companies. The requirements affect immediate notifications to either customers or investors about major data breaches or cybersecurity attacks.
One example PwC officials cited is the proposed SEC regulations in March that would require prompt and detailed disclosure of material cyber incidents — attacks and major data breaches — within four business days and also calls for enhanced corporate governance measures.
“What this says to me is at the board level, we’re grappling with how to get our hands around and understand this risk,” Sean Joyce, global cybersecurity and privacy leader at PwC, said in a conference call on Thursday.
The ever-changing and growing nature of the current risk means that cybersecurity must be top of mind at all organizations, according to Nicole Darden Ford, VP of global security and CISO at Rockwell Automation.
A number of major companies enacted significant internal changes after significant data breaches and ransomware attacks over the past 18 months.
Colonial Pipeline earlier this year named Adam Tice, former SVP at Equifax, as its first ever CISO. Colonial, which is privately held, was the target of one of the most significant ransomware attacks in U.S. history, as the incident led to the disruption of gasoline supplies to most of the southeast and eastern U.S. for almost a week in May 2021.
The study was conducted between Aug. 1-5 and is based on a survey of 722 cross-sector U.S. executives, including CFOs and corporate finance leaders, human resource leaders, tax leaders, corporate risk executives and other members of the C-suite.