The report emphasizes the direct involvement of cybersecurity experts within these committees as a critical factor. Companies with cybersecurity experts on either audit or specialized risk committees achieve an average security performance rating of 700, significantly higher than the 580 rating for companies with such experts only on the general board.

The report also highlights that highly regulated industries typically outperform others. The healthcare sector led with an average security rating of 730, while the financial services sector accounted for a significant proportion (33%) of companies that demonstrated advanced security performance, with an average rating of 720. Conversely, 24% of companies with basic security performance came from the industrial sector. The communications sector, according to the report, has the lowest overall performance rating at 630.

Highly regulated companies and industries traditionally adopt cyber programs and best practices more quickly because they’re used to, and better at, managing their risk, said Dave Gerry, CEO of cybersecurity firm Bugcrowd. “Ensuring that they are in compliance with the regulatory requirements they face is in their culture; adding cyber is simply another requirement they need to comply with,” he added.

More board involvement means more internal scrutiny

Companies with audit committees typically fare better than others when it comes to cybersecurity because of internal scrutiny, Lindahl-Wise said. “An informed audit (and more often an audit and risk committee) is more aware and aligned to the actual risks organizations are facing and will hold them to remediation plans than generic risks regulations focus on,” he said. “One envisages that the time to remediation of risks will be quicker with organizations with active audit committees in place.”

Companies with robust cybersecurity measures are not only taking concrete measures to protect their systems and sensitive data, but modern, next-generation solutions can also streamline operations and make employees more efficient, said Patrick Tiquet, vice president of security and architecture at Keeper Security. For example, a digital password manager can autofill passwords and reduce help-desk costs by significantly lowering the number of password-reset requests. “Automating routine tasks like these allows organizations to free up valuable resources they can then direct towards their business growth and strategic initiatives.”