The Role of Board of Directors in Cyber Risk Management and Governance

Social Share


Cyber attacks have become a pervasive concern for enterprises across industries in today’s interconnected and digital environment. Cyber threats, with the potential to cause severe financial and reputational harm, necessitate a proactive and comprehensive strategy to protecting an organization’s assets and stakeholders. This is the responsibility of the Board of Directors, who play an important role in cyber risk management and governance. In this blog post, we will look at the essential duties and activities that boards should take to address cyber risks successfully.

Governance and Oversight

The major objective of the Board is to build a strong governance framework that includes cyber risk management. The Board sets the tone for the organization’s commitment to cyber resilience by including cybersecurity into the broader risk management strategy. This includes examining and approving the cybersecurity strategy, policies, and resources, as well as evaluating the performance of the cyber risk management program on a regular basis.

Background on the Role of Boards of Directors:

When examining the board’s involvement in resolving cybersecurity issues, keep in mind the board’s overall responsibilities to the organization and, more specifically, the board’s role in corporate governance and risk management. Corporations have long been administered under the direction of their boards of directors, both in the United States and around the world. This concept is based on a fundamental premise of the contemporary corporation: the separation of ownership and control. Under this structure, persons in charge of a corporation must answer to the company’s true owners – the shareholders.

However, it would be neither conceivable nor desirable for a public company’s many, widely scattered shareholders to band together and oversee, or direct the management of, the company’s business and affairs. Effective full-time management is clearly required for public corporations to function. However, management without responsibility can lead to self-serving decisions that are detrimental to the company and its owners. As a result, shareholders elect a board of directors to represent their interests, and the board of directors ensures that management efficiently serves the organization and its shareholders through good corporate governance.

“Leading the Charge: Empowering Boards of Directors in Cyber-Risk Oversight”

Considering the alarming frequency of significant cyber-attacks and the growing evidence indicating that companies of all sizes are increasingly vulnerable to potentially disastrous cyber-attacks, it is crucial for boards of directors to prioritize the adequacy of their company’s cybersecurity measures as part of their risk oversight responsibilities.

Furthermore, apart from the potential for significant disruptions to business operations, substantial costs associated with responding to cyber-attacks, negative publicity, and long-lasting damage to reputation, there is also the looming threat of litigation and

potential liability if adequate measures are not taken to protect the company from cyber threats. Not surprisingly, there has been a recent surge in derivative lawsuits filed against companies, as well as their officers and directors, concerning data breaches resulting from cyber-attacks. Hence, boards that disregard or downplay the importance of cybersecurity oversight do so at their own peril.

Considering the well-known risks posed by cyber-attacks, it would be expected that corporate boards and senior management across the board would actively take steps to address these cyber risks. However, evidence suggests that there may be a gap between the magnitude of the cyber risks companies face and the actions, or lack thereof, that many corporate boards have taken to tackle these risks. It has been observed by some that boards are not dedicating enough time or allocating adequate corporate resources to address cybersecurity concerns. According to a survey, boards were found to be neglecting essential oversight activities related to cyber risks. These activities include reviewing annual budgets for privacy and IT security programs, assigning clear roles and responsibilities for privacy and security, and receiving regular reports on breaches and IT risks. Furthermore, even when boards do focus on these risks, there are concerns about the extent to which they rely heavily on the personnel responsible for implementing those measures. Given these observations, directors should reflect on what actions they can and should take to effectively supervise cyber-risk management.

Gartner Survey Finds 88% of Boards of Directors View Cybersecurity as a Business Risk

Source: Gartner (November 2021)

Business executives are aware of the need to protect their organization from new and developing threats, but IT leadership is primarily responsible for security. According to a recent Gartner survey**, the CIO, CISO, or their equivalent was the person in charge of cybersecurity in 85% of the firms surveyed. Only 10% of companies held top non-IT management responsible

According to Proctor, “IT and security leaders are frequently thought of as the ultimate authorities for safeguarding the enterprise from threats.”

“Yet, every day, business leaders make choices that affect the security of the organization without consulting the CIO or CISO.”

The responsibility for cybersecurity must be rebalanced such that it is shared with business and corporate executives, according to CIOs and CISOs. Gartner advises IT and security professionals to collaborate with executives and BoDs to create governance that distributes accountability for corporate choices that have an impact on enterprise security.

Key Areas for Board Action in Establishing an Effective Cybersecurity Risk Management Program

1. Ensure cyber risk is embedded in strategic decisions and the company’s culture:

The board of directors, CEO, management, business unit leaders, and the IT and security departments must jointly discuss the cybersecurity implications of their actions and operations in order to combat cyber risk.

2. Understand the cyber risk management program:

Boards are interested in whether management is concentrating on the appropriate cyber threats, how management is handling those risks, and whether it is sufficient. Understanding the company’s cyber risk management program and appetite is the first step in doing this.

3. Monitor cyber resilience:

Many boards give resilience strategies a lot of attention as a result of the growth in ransomware attacks and data breaches. The ultimate goal is to be able to swiftly identify and react to cyber attacks in order to reduce company disruption and monetary losses. In order to recover, the company’s vital systems must be safeguarded. This entails reducing the possible harm that a cyber event could cause to systems and making sure that systems can recover from a cyber incident.

4. Rethink the board’s cyber oversight allocation:

It is beneficial to examine the board’s oversight method on a regular basis to ensure that it is effective. Consider whether the current structure has the proper board members engaged and whether they have enough time to handle the issue. It’s also critical that your board has access to the subject matter expertise it requires.


Discover limitless educational opportunities with Westford Uni Online, a leading global synchronous learning platform. Earn your internationally recognized MBA degree from prestigious UK-based universities. Explore unique specializations like the MBA in Global Business Administration with Cyber Governance and Digital Transformation, tailored to meet the demands of aspiring professionals. Empower your educational journey today.

Recent Blogs