Report

Supervisory boards need more digital expertise

19.10.2022
Digital knowledge and experience are currently not particularly important factors in selecting and appointing supervisory board members. Fewer than a third of companies attach high or very high relevance to the digital competence of their supervisory boards. This is a result of a joint study by the law firm Noerr and the TUM Center for Digital Public Services led by Professor Dirk Heckmann at the Technical University of Munich (TUM).  For the study, 300 first- and second-level managers from companies with 250 or more employees were interviewed.

Sophia Habbe, Frankfurt-based partner and co-head of Noerr’s Compliance & Internal Investigations practice group said: “The ongoing digitalisation of corporate processes and business models has made digital competence essential for supervisory boards. Without such competence, they cannot perform their function as central controlling instances to monitor management and evaluate whether it has correctly assessed the risks of digital technologies.”

Peter Bräutigam, Munich-based partner and, according to legal directories (Juve, Chambers), a leading expert in IT law in Germany, added: “Supervisory boards also need the expertise required to assess digital compliance risks. According to our study, 27% of the responding companies have reported data protection incidents in the last three years. The increased use of cloud solutions in companies is a particular challenge that requires supervisory boards to also monitor how management deals with the associated risks.”

Supervisory boards have a variety of digital tasks. They must monitor management with regard to digital business processes, the use of new technologies and IT infrastructure that is secure and complies with data-protection law. They must also ensure that management is establishing suitable compliance structures in the company.

According to the study, many supervisory boards are insufficiently prepared for these tasks. Only 28% of companies consider digital expertise and skills to be an important criterion when filling positions on supervisory boards. Even at companies where compliance incidents have occurred in the past three years, the figure is only 33%. This is a remarkable finding in light of the fact that 42% of the companies stated in the survey that the supervisory board takes concrete measures to ensure that management has digital expertise. On the other hand, only slightly more than half (53%) of the supervisory boards regularly deal with topics related to digitalisation. This figure is even lower in companies with fewer than 1,000 employees.

Supervisory boards become directly involved in digitalisation more often after a compliance incident. In 61% of such cases, digital topics appear on the agenda. In most cases (39%), the supervisory board itself deals with the topic, around 25% call on experts, and 13% set up a committee for this purpose. In contrast, only 22% of the supervisory boards of companies that have not had a compliance incident regularly deal with digitalisation.

If digitalisation is regularly on the supervisory board’s agenda, IT security enjoys a level of importance (61%) almost as high as digitalisation topics relating to business processes (68%).

The high degree of attention that supervisory boards are paying to IT security issues is to be welcomed because such issues entail major compliance risks. The study showed that 47% of the responding companies had been affected by digital compliance incidents in the past three years. In addition to general data protection violations (29%), 27% of the respondents reported compliance incidents involving IT security.

The survey also showed that most companies have taken basic steps regarding IT security and data protection, but fewer companies have more specific state-of-the-art measures in place. Few companies see high risks in the use of cloud services (16%). Cloud solutions can usually increase IT security, but the GDPR places stricter requirements on outsourcing data to servers outside the EU. Accordingly, server location is highly relevant for 71% of respondents.

Another result of the study is that two out of three responding companies (67%) have their own data protection department or position, which is separate from the compliance department in four out of ten cases (38%). Two-thirds of the companies also have an IT security position or an information security officer – usually in their IT departments (51%).