{"id":117551,"date":"2022-08-08T09:00:00","date_gmt":"2022-08-08T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=117551"},"modified":"2023-07-21T14:25:03","modified_gmt":"2023-07-21T21:25:03","slug":"it-security-an-opportunity-to-raise-corporate-governance-scores","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/08\/08\/it-security-an-opportunity-to-raise-corporate-governance-scores\/","title":{"rendered":"IT security: An opportunity to raise corporate governance scores"},"content":{"rendered":"\n

What is a corporate governance score?<\/h2>\n\n\n\n

Corporate governance scoring is increasingly important to boards of directors, executive leadership, and the investment community. If we want to enlist the support of a stakeholder, we have to talk about the things that are important to them. Sales revenue is important to sellers. Data breach risk gets the attention of the chief information security officer (CISO). Governance scores often affect executive compensation and the way an analyst rates a company\u2019s stock. They are important to the board.     <\/p>\n\n\n\n

If the IT security team communicates in terms of improving a corporate governance score, it will get their attention. Boards have a lot of demands on their attention as they prioritize the many risks and opportunities they need to navigate. Moving the needle on a benchmark they already care about helps them prioritize IT security. <\/p>\n\n\n\n

Corporate governance benchmarks, such as the Institutional Shareholder Services (ISS) ESG Governance QualityScore, are a focus area for boards, management, and investment analysts.1<\/sup> This is a language that they speak. If we want to advocate with these stakeholders, framing our IT security investments and actions in terms of an increased QualityScore is an effective way to do this.<\/p>\n\n\n\n

Leaders in the corporate governance space have recognized the part that IT security plays in corporate governance and have included this in their scoring methodology. Cybersecurity is identified as a focus area in Principles of Corporate Governance for the board risk oversight and management strategic planning responsibilities,2<\/sup> as well as an evolving governance challenge in the Harvard Law School Forum on corporate governance.3<\/sup> Security, particularly concerning data breaches, is identified by the Corporate Finance Institute as one of the principles of corporate governance.4<\/sup><\/p>\n\n\n\n

We\u2019ll identify the specific ways that IT security governance can impact a company\u2019s ISS Governance QualityScore, potentially driving analyst recognition, shareholder value, and executive compensation. This can help inform the board as they consider relative priorities and investments in IT security.<\/p>\n\n\n\n

While the discussion is applicable to all geographies and segments, the scoring example we\u2019ll use is for a United States-based company in the Standard and Poor\u2019s (S&P) 500 index.<\/p>\n\n\n\n

How corporate governance scores are calculated<\/h2>\n\n\n\n

The ISS ESG Governance QualityScore is a data-driven scoring and screening solution designed to help institutional investors monitor portfolio company governance. The ISS Governance QualityScore global coverage is applied to approximately 7,000 companies, including those represented in S&P 500, STOXX 600, Russell 3000, Nikkei 400, and others around the world.<\/p>\n\n\n\n

The companies\u2019 annual meeting notes, regulatory filings, and other public-facing information are reviewed quarterly and in real-time for some events to update the QualityScore.<\/p>\n\n\n\n

The methodology is made available on the ISS website.5<\/sup><\/p>\n\n\n\n

To improve the organization\u2019s QualityScore and map the impact of IT security investments and activities, it is important to understand the factors (questions) and how a score is calculated.<\/p>\n\n\n\n

The topics scored include:<\/p>\n\n\n\n