IT security: an opportunity to raise corporate governance scores
What is a corporate governance score?
Corporate governance scoring is increasingly important to boards of directors, executive leadership, and the investment community. If we want to enlist the support of a stakeholder, we have to talk about the things that are important to them. Sales revenue is important to sellers. Data breach risk gets the attention of the chief information security officer (CISO). Governance scores often affect executive compensation and the way an analyst rates a company’s stock. They are important to the board.
If the IT security team communicates in terms of improving a corporate governance score, it will get their attention. Boards have a lot of demands on their attention as they prioritize the many risks and opportunities they need to navigate. Moving the needle on a benchmark they already care about helps them prioritize IT security.
Corporate governance benchmarks, such as the Institutional Shareholder Services (ISS) ESG Governance QualityScore, are a focus area for boards, management, and investment analysts.1 This is a language that they speak. If we want to advocate with these stakeholders, framing our IT security investments and actions in terms of an increased QualityScore is an effective way to do this.
Leaders in the corporate governance space have recognized the part that IT security plays in corporate governance and have included this in their scoring methodology. Cybersecurity is identified as a focus area in Principles of Corporate Governance for the board risk oversight and management strategic planning responsibilities,2 as well as an evolving governance challenge in the Harvard Law School Forum on corporate governance.3 Security, particularly concerning data breaches, is identified by the Corporate Finance Institute as one of the principles of corporate governance.4
We’ll identify the specific ways that IT security governance can impact a company’s ISS Governance QualityScore, potentially driving analyst recognition, shareholder value, and executive compensation. This can help inform the board as they consider relative priorities and investments in IT security.
While the discussion is applicable to all geographies and segments, the scoring example we’ll use is for a United States-based company in the Standard and Poor’s (S&P) 500 index.
How corporate governance scores are calculated
The ISS ESG Governance QualityScore is a data-driven scoring and screening solution designed to help institutional investors monitor portfolio company governance. The ISS Governance QualityScore global coverage is applied to approximately 7,000 companies, including those represented in S&P 500, STOXX 600, Russell 3000, Nikkei 400, and others around the world.
The companies’ annual meeting notes, regulatory filings, and other public-facing information are reviewed quarterly and in real-time for some events to update the QualityScore.
The methodology is made available on the ISS website.5
To improve the organization’s QualityScore and map the impact of IT security investments and activities, it is important to understand the factors (questions) and how a score is calculated.
The topics scored include:
- Board structure.
- Compensation.
- Shareholder rights.
- Audit and risk oversight.
The audit and risk oversight section is where the IT security-related factors are located. We’ll focus our discussion on how to map and raise these factors.
A raw score based on the factors is calculated and ranked relative to companies in the same index or region to promote an “apples to apples” comparison, with a number from 1 to 10 assigned to each category. Figure 1 shows an example of a raw score and category score for each category for a United States-based company in the S&P 500.
Category | Category Raw Score | Category Score |
---|---|---|
Board Structure | 25.0 | 7 |
Compensation | 19.5 | 10 |
Shareholder Rights | 28.0 | 5 |
Audit & Risk Oversight | 56.5 | 4 |
Overall Raw Score | Governance QualityScore | |
Total | 129.0 | 8 |
Table 1. Score methodology example for S&P 500 United States-based company.
Rating Category | Questions Scored |
---|---|
Board Structure | 51 |
Audit and Risk Oversight | 21 |
Shareholder Rights | 32 |
Compensation | 37 |
Total | 141 |
Table 2. Questions scored in each category for a United States-based company.
For the United States, there are 141 factors scored. Twenty-one are for the Audit and Risk Oversight category. Of these, 11 are related to information security. Thus, more than half of this category’s raw score that will be scaled to create the 1 to 10 QualityScore for the Audit and Risk Oversight category is related to IT security.
The definition of IT security-related questions differs from what an IT security and compliance professional will have encountered from working with the ISO, the NIST, or similar security standards. We’ll look at this next.
IT security conversation with the board and executives through the corporate governance lens
The factors used for the governance score are different from what we’d encounter in an IT audit. They don’t cover the fulsome controls and defense in depth that we’d expect as IT security professionals. Some are likely part of key performance indicators (KPIs) already tracked, such as those relating to awareness and training, financials, and breaches.
When a strategic plan or business case for an investment is presented to leadership, it can be mapped to the QualityScore factors. An improvement in the governance score can be forecasted.
An example is provided below for the implementation of Microsoft Purview Audit (Premium). This tool is a part of Microsoft 365, is easily deployed, and has no user impact or change management requirements. In the event of a credentials compromise, it provides forensic information to understand if there was a breach of sensitive information, what documents may have been accessed by the bad actor, and provides retention of audit data for long periods of time.
QuestionID | Question | Mapping for Microsoft Purview Audit (Premium) |
---|---|---|
402 | Does the company disclose an approach to identifying and mitigating information security risks? | Audit (Premium) allows a company to identify the information accessed by a bad actor if an account is compromised. It provides forensic information to understand the consequences of a breach and remediate appropriately. This is part of risk mitigation. |
406 | What are the net expenses incurred from information security breaches over the last three years relative to total revenue? | Audit (Premium) makes information available that can differentiate a breach that has no impact from one that has a massive impact on the company, its partners, and its customers. Without this information, the company may incur massive costs for breach notification and mitigation that would not be necessary if the breach could be properly scoped. |
407 | Has the company experienced an information security breach in the last three years? | Audit (Premium) can differentiate between account compromise that has no impact and may not be reportable as opposed to a breach requiring large-scale reporting and remediation. Reporting information security compromises correctly, including knowing what is and is not a breach is a focus of Audit (Premium). |
408 | What are the net expenses incurred from information security breach penalties and settlements over the last three years relative to total revenue? | The expenses and penalties incurred due to an information security breach will vary greatly depending on the scope and impact of the breach. Expenses and penalties can be reduced as a result of the forensic information Audit (Premium) makes available. |
409 | Has the company entered into an information security risk insurance policy? | Insurers require underwriting to issue security risk insurance policies. Underwriting depends on the company’s IT security program, controls, and governance. Audit (Premium) is an important part of the security program, providing uniquely valuable forensic information. |
412 | How long ago did the most recent information security breach occur (in months)? | Audit (Premium) can differentiate between account compromise that has no impact and may not be reportable as opposed to a breach requiring large-scale reporting and remediation. It can enable a forensic investigation that scopes a breach in terms of time and the timing of bad actor activities in this period. |
Table 3. Example Mapping of Microsoft Purview Audit (Premium) to ISS Governance QualityScore.
Alignment with the Governance QualityScore goes beyond the support of security solutions and investments.
Some of what the company may already have in place, like security training, standards-based audit, metrics, and reporting is part of the scoring. Communicating this so that it is reflected in the governance score increases the company’s return on investment and leadership’s awareness of the contributions of the security team.
The score will be boosted by having senior leadership regularly brief the board on information security matters.
Adding a board member with security experience will also boost the score. These will give the security function the attention and investment that it needs from leadership to increase the company’s security posture.
Conclusion
Showing how a company’s Governance QualityScore benefits from their investment in security demonstrates additional return on investment and wins support for the security program from a range of stakeholders. Stakeholders that may not recognize the value of IT security controls and processes or understand IT security risk may recognize the financial and brand value of an increased governance score.
As time goes on, the expectations for IT security to be part of corporate governance will increase. The focus on the breach will likely be broadened to a more holistic perspective. Additional factors will be considered and the impact of IT security on the overall scoring will increase.
Consider demonstrating how an IT security investment or activity will raise your company’s governance score along with other aspects of the business case and risk management when presenting to leadership to make a fulsome case for action.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This document is not intended to communicate legal advice or a legal or regulatory compliance opinion. Each customer’s situation is unique, and legal and regulatory compliance should be assessed in consultation with their legal counsel.
1Institutional Shareholder Services ESG Governance QualityScore, ISS. March 31, 2022.
2Principles of Corporate Governance, Harvard Law School Forum on Corporate Governance. September 8, 2016.
3Cybersecurity: An Evolving Governance Challenge, Harvard Law School Forum on Corporate Governance. March 15, 2020.
4Corporate Governance, Corporate Finance Institute. May 8, 2022.
5Governance QualityScore, ISS.
READ MORE HERE