Board directors are under a lot of pressure. They know that it’s only a matter of time before their organization suffers a cyber incident, and all eyes will naturally be on the directors themselves to see if they were properly exercising their risk oversight.

Directors also know that all interactions with the CISO will be subject to close scrutiny in the aftermath of a breach. But with the right mix of security education, communication and help from outside experts, executives can fill cyber risk awareness gaps and achieve compliance with a growing number of privacy and risk regulations.

Regulatory Pressures

Boards are worried about both lawsuits from shareholders and fines from regulators. Many regulatory agencies, such as the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC), have made strong public statements to that effect and followed up with enforcements against entities that failed to take appropriate steps to safeguard data.

In an October 2015 speech titled “The Important Work of Boards of Directors,” former SEC Commissioner Luis Aguilar said that the looming threat of cyberattacks “has only served to ratchet up the pressure on company boards to effectively implement enterprise risk oversight,” adding that shareholders can sue directors for failing to adequately protect against cyberthreats.

In December 2016, Sarah Bloom Raskin, deputy secretary of the U.S. Treasury, remarked that boards and senior leaders need to be able to ask the right questions about cyber risks and consider the trade-offs. She further argued for the need to empower boards and top leadership — through education, training and access to outside expertise — to “thoughtfully assess management’s assertions about the design and effectiveness of their organizations’ cyberdefenses” and to “evaluate the completeness and accuracy of their managements’ description of their cybersecurity programs.”

Educating Executives on Core Principles of Cyber Risk

While the topic of cybersecurity isn’t exactly a required course for MBA programs and leadership certificates, directors have been receiving more focused and actionable advice. This comes both from regulators and organizations charged with training board directors, such as the National Association of Corporate Directors (NACD).

According to Board Agenda, board directors need “sufficient relevant skills and understanding to review and challenge management performance.” Similarly, Robyn Bew, director of strategic content development for the NACD, outlined five core principles to properly oversee cyber risks:

  1. Cybersecurity should be part of the overall enterprise risk management program.
  2. Boards should understand the legal side of cyber risks.
  3. Boards should have access to cybersecurity expertise and regularly review the issue.
  4. Boards should ensure that management has provided appropriate direction and support for cybersecurity functions.
  5. Directors and managers should determine which risks to avoid, accept, mitigate and transfer.

Read the Fine Print

While it is still unusual to see anything beyond the most generic of statements regarding cyberthreats and cyber risk governance in SEC filings, more and more companies are mentioning cyber issues as part of their quarterly or yearly disclosures. Some of these updates provide a clearer sense of what boards and top leaders are doing about cybersecurity.

For example, one company’s SEC filing clearly stated that it had conducted cyber risk governance training “to equip board members with examples of questions to ask in order to challenge management and make sure that the controls in place align with the company’s risk appetite and culture.” It added that the company would “continue to monitor the performance and level of risk” regularly throughout the next year.

Boosting Security Awareness Among Board Members

The notion of board directors challenging management’s assertions isn’t a new concept, and it applies to all other areas of board members’ responsibilities. In 2013, for example, a cyber risk guidance report from U.K.-based governance institute ICSA distinguished cyber risk from other risk types due to “the rapid evolution of technology and the resulting fundamental changes in the way business is conducted.” The report also mentioned the need for boards to “consider taking wider advice” in an effort to fully comprehend the cybersecurity challenges they face.

But perhaps the best characterization of the situation facing board directors today comes from a report by the Deloitte EMEA Centre for Regulatory Strategy, which predicted that, as a result of increased cyber risk regulations and frameworks, “boards will be asked to demonstrate they have access to sufficient cyber and IT expertise to allow them to challenge management in this area.”

Board directors appear to have received the message loud and clear that it’s no longer enough to simply receive quarterly cybersecurity updates. Given these challenges, it’s really no wonder that directors want to be seen as more engaged — and, in many ways, more skeptical — when it comes to cybersecurity and cyber risks.

Listen to the podcast series: Take Back Control of Your Cybersecurity Now

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…