Inexpert Supervision: Field Evidence on Boards’ Oversight of Cybersecurity
通过实地研究董事会监督网络安全风险的新职责,发现非专业董事的监督努力缺乏实质内容,多为象征性行为,而专家董事则能意识到这一不足。
We conduct a field study of boards’ emerging responsibility to oversee cybersecurity risk, a setting in which few directors have expertise. We find that, although nonexpert directors may genuinely seek to provide diligent oversight, without expertise their efforts lack substance and therefore are mostly symbolic, even when they perform the same oversight activities as expert directors. We also explore why boards do not prioritize the appointment of cybersecurity experts and show that nonexpert directors do not perceive that their efforts are symbolic and insufficient. In contrast, expert directors perceive keenly the deficiency of their nonexpert counterparts and argue for the need for more cybersecurity experts on boards, and this viewpoint is shared by cybersecurity executives and consultants who support the board. Thus, we contribute to our understanding of when boards are likely to provide substantive versus symbolic oversight and inform the debate on the merits of board-level cybersecurity expertise. This paper was accepted by Ranjani Krishnan, accounting. Funding: This work was supported by a Security, Privacy, & Trust grant from the Pamplin College of Business and the Commonwealth Cyber Initiative of Virginia. Supplemental Material: The online appendix is available at https://doi.org/10.1287/mnsc.2023.04147 .