Skip to content
Going Beyond: TecDAX Supervisory Boards

TecDAX Supervisory Boards – Skills in Tech & Cyber Security

TecDAX Supervisory Boards – Skills in Tech & Cyber Security

By Sandro Barbato & Angelika Horstmeier

1. Introduction & Findings

Introduction

The TecDAX is an index composed of the 30 largest companies listed on the German stock exchange, which are connected to tech business. Due to their core business, investor expectation is that the relevant skills and expertise are represented at supervisory board level.

Challenge questions

1: Do TecDAX supervisory boards possess relevant technological expertise?

2: Do TecDAX supervisory boards in addition possess cyber/data security expertise?

Findings
  • Only 19 of the 30 TecDAX companies have disclosed a skills matrix (=63%) of their supervisory board.

Considering these 19 companies only:

  • 12 of 19 companies had director/s with IT, Digitalization or Technology skills (=63%).
  • Two of 19 companies had director/s with explicit Data or Cyber security skills. (=11%).

Considering all 30 TecDAX companies:

  • 12 of all 30 companies had director/s with IT, Digitalization or Technology skills (=40%).
  • Two of all 30 companies had director/s with explicit Data or Cyber security skills (=7%).

2. Conclusion & Recommendations

Conclusion
  • In the view several investors and proxy advisors, cyber risk management is also a supervisory board responsibility. (See “4. Selected Voting Policy Extracts”)
  • Cyber & data security incidents are not limited to specific businesses. Therefore, we consider cyber & data risk management and supervision material for all companies. (See “5. Selected Cyber & Data Incidents“)
  • Especially to companies in a technology-index, we had higher expectations than our findings show with regards to both, IT, Digitalization or Technology skills and Data or Cyber Security skills.
Recommendations
  • Every company should publish a board matrix.
  • Skills matrices should and be meaningful, and ideally be connected to additional board member information, such as for example year of birth or nationality.
  • Skills matrices should always be up to date, including additional education and qualification achieved and easy to find, ideally on the relevant supervisory board internet page.
  • Creating the own supervisory board matrix should also consider several examples from similar business companies and best-practice templates.
  • The prior point is not only connected to companies without available skills matrix, also companies with one should check and eventually amend the existing one.
  • From experience, these measures can mean that it becomes clear that a relevant skill is not represented in the own supervisory board.
  • Until there will be upcoming supervisory board elections that would enable to fill such a gap with a new board member, there are measures to limit the risk from proxy advisors and investors in the meantime.

3.0 All TecDAX Companies

Skills Matrix Available
Skills Matrix Availability
  • A skills matrix was available for 19 of the 30 TecDAX companies (63%). • The following analysis is based on these 19 companies.
IT, Digitalization, and Technology Skills
  • Twelve of the 19 companies (63%) identified one or more directors with skills in IT, digitalization, or technology.
Data/Cyber Security Skills
  • Only two companies (11%) explicitly mentioned directors with skills in cybersecurity or data security.

3.1 Electronic Components Sector

Skills Matrix Available
Skills Matrix Availability
  • A skills matrix was available for all five Electronic Components companies (100%). • The following analysis is based on these five companies.
IT, Digitalization, and Technology Skills
  • Four of the five companies (80%) identified one or more directors with skills in IT, digitalization, or technology.
Data/Cyber Security Skills
  • None of the five companies (0%) explicitly mentioned a director with skills in cybersecurity or data security.

3.2 Hardware, Software & IT Services Sector

Skills Matrix Available
Skills Matrix Availability
  • A skills matrix was available for five of the ten Hardware, Software & IT Services sector companies (50%). • The following analysis is based on these five companies.
IT, Digitalization, and Technology Skills
  • Two of the five companies (40%) identified one or more directors with skills in IT, digitalization, or technology.
Data/Cyber Security Skills
  • None of the five companies (0%) explicitly mentioned a director with skills in cybersecurity or data security.

3.3 Healthcare Sector

Skills Matrix Available
Skills Matrix Availability
  • A skills matrix was available for three of the six Healthcare sector companies (50%). • The following analysis is based on these three companies.
IT, Digitalization, and Technology Skills
  • Two of the three companies (67%) identified one or more directors with skills in IT, digitalization, or technology.
Data/Cyber Security Skills
  • One of the three companies (33%) explicitly mentioned a director with skills in cybersecurity or data security.

3.4 Manufacturing & Services Sector

Skills Matrix Available
Skills Matrix Availability
  • A skills matrix was available for four of the five Manufacturing & Services sector companies (80%). • The following analysis is based on these four companies.
IT, Digitalization, and Technology Skills
  • Three of the four companies (60%) identified one or more directors with skills in IT, digitalization, or technology.
Data/Cyber Security Skills
  • None of the four companies (0%) explicitly mentioned a director with skills in cybersecurity or data security.

3.5 Telecommunication Sector

Skills Matrix Available
Skills Matrix Availability
  • A skills matrix was available for two of the four Telecommunication sector companies (50%).
  • The following analysis is based on these two companies.
IT, Digitalization, and Technology Skills
  • One of the two companies (50%) identified one or more directors with skills in IT, digitalization, or technology.
Data/Cyber Security Skills
  • One of the two companies (25%) explicitly mentioned a director with skills in cybersecurity or data security.

4. Selected Voting Policy Extracts

Allianz Global Investors
  • Allianz GI expect disclosures around cyber security governance, including key roles within the company responsible for cyber resilience of the business, and the board’s approach to ensuring robust oversight.
DWS
  • Generally supportive of proposals asking investee companies to report on their environmental and social, (e.g., human rights, product safety, data security) practices, policies and impacts, including environmental damage and health risks resulting from operations, and the impact of environmental liabilities on shareholder value.
Glass Lewis Continental Europe Guidelines
  • Companies and consumers are exposed to a growing risk of cyber-attacks.
  • In instances where cyber-attacks have caused significant harm to shareholders we will closely evaluate the board’s oversight of cybersecurity as well as the company’s response and disclosures.
Legal & General Investment Management
  • The vulnerability of a company’s IT systems can lead to a material financial impact and reputational damage.
  • It should be integrated into the business’s control functions and (…) Cybersecurity should be a regular board agenda item.
New York State Common Retirement Fund
  • Director attributes and skills should be relevant to a board’s capacity to effectively oversee risk, including operational, regulatory, climate-related and environmental, workforce, geopolitical, macroeconomic, financial, and cyber risks.
RBC Global Asset Management
  • We believe that cyber security is a material risk in several industries and we will generally support requests for enhanced disclosure on how the board and senior management are overseeing, managing, and mitigating these risks.
Wellington Management
  • Through engagement, we aim to compare companies’ approaches to cyber threats, regardless of region or sector, to distinguish businesses that lag from those that are better prepared.

5. Selected Cyber & Data Incidents

Any company may fall victim to a cyberattack.
These German examples highlight some of the most notorious incidents.

Aurubis in 2022
  • Aurubis, an important company from Mining & Mineral sector was victim of an attack.
  • Numerous systems at Aurubis sites had to be shut down but production was largely maintained.
Continental in 2022
  • Automotive supplier Continental was the victim of a ransomware attack. • 40 terabytes of data were stolen.
Evotec in 2023
  • Evotec, the Healthcare sector company, was affected by an attack in early 2024. • IT systems were shut down.
  • Following, they were not able to provide their audited financial statements timely. • In line with the applicable rules, they were therefore excluded from the MDAX.
Rheinmetall in 2023
  • Rheinmetall has important civilian and defense business. This attack was reported to have affected the civilian part (mostly automotive) only.
  • In 2024, the company disclosed the costs of this attack of around 10 million Euros.
Varta in 2024
  • Varta, the Batteries Manufacturing company, was affected by an attack in early 2024. • IT systems and production were shut down or reduced.
  • Following, they were not able to provide their audited financial statements timely.
  • In line with the applicable rules, they were excluded from the SDAX.

6. Methodology

Methodology
  • We collected skills matrices from company websites, documents, and presentations, allocating a reasonable amount of time for research.
  • Skills matrices not found within this timeframe were deemed non-existent, aligning with the practices of most proxy advisors and institutional investors.
  • We considered only capital-elected board members, excluding employee representatives.
  • Our analysis focused on the available supervisory board skills matrices for both, IT and data/cyber
  • security.
  • Due to the lack of standardized categories and clear terminology, disclosed skills in digitalization or technology were also considered as IT expertise, applying a principle of doubt. Similarly, cyber and data security were considered interchangeably.
  • It’s important to note that IT skills do not automatically translate to cyber/data security expertise. Therefore, we only considered the latter when explicitly mentioned.
  • We divided the 30 TecDAX companies also into five different sectors. These categorizations were decided according to FactSet and SASB Materiality Finder data.
  1. Electronic components (5 companies)
  2. Hardware, Software & IT Services (10 companies)
  3. Healthcare (6 companies)
  4. Manufacturing & Services (5 companies)
  5. Telecommunications (4 companies)

7. Data Table

Alliance Advisors has built a team of industry specialists with deep experience relating to all our product lines. If you would like to receive a copy of our reports and reviews in future, please enter your details in the form below.

Article by

With Alliance Advisors Going Beyond research series, we bring to the forefront pivotal discussions and content that are shaping the world of Corporate Governance, Executive Compensation, ESG, Shareholder Activism, Retail Outreach and M&A.

New York Washington DC • Toronto London
Durban  Taipei Hong Kong Seoul

Alliance Advisors is an independent advisory firm focused on Shareholder Meeting Advisory, Shareholder Engagement, Compensation, Governance & Sustainability services through our global network.

We go beyond, from development to execution of bold, client-first strategies, resulting in winning outcomes.

Back To Top