A cyber attack is an assault launched by cybercriminals to access, change, or destroy sensitive data or interrupt normal business processes. On average, there is a hacker attack every 39 seconds, affecting one in three Americans yearly. In 2022, the total damage by cyberattacks reached $6 trillion.
Cyber attacks are among the key risks for boards. They usually involve large data breaches or significant public disruption.
That’s why the board of directors’ role in cybersecurity is critical. Every board member should understand that cybersecurity is the responsibility of the entire board, not just the risk committee or CISO (chief information security officer).
The purpose of this guide is to explain cybersecurity to board of directors, define their role in mitigating cyber risks, and offer modern management tools for the board of directors’ cybersecurity.
Discover effective management tool for your board
Rely on our choice – iDeals Board
Visit WebsiteBoard of directors role in cybersecurity
“Cybersecurity is an issue for the whole organization. Whether it is in advance of or during an incident, you should not just leave it to the chief information officer and the technical team.“ John Noble, the former director of the UK’s National Cyber Security Centre |
Except for having fiduciary and oversight responsibility for their companies, board members play a major role in cyber risk governance, including vulnerability assessments, mitigation strategies, and controls.
Board directors should understand that governing cyber risk isn’t optional today. There are new cybersecurity requirements for the board of directors administered by the Securities and Exchange Commission (SEC).
In March 2022, the SEC issued a proposed rule titled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. It requires organizations to disclose their cybersecurity governance programs, including:
- The board’s cyber risk oversight
- A description of management’s role in assessing and managing cyber risks
- The board of directors’ cyber expertise
- Management’s role in executing cybersecurity policies and strategies
That’s why cybersecurity and the role of the board in it is paramount. Here’s what they should do to manage the risks posed by cyber threats and to ensure effective oversight:
- Understand cyber risk management
- Embed cyber risk in business strategy
- Monitor cyber resilience
- Form the organization’s cybersecurity culture
1. Understand cyber risk management
Сorporate boards should start with learning the company’s cyber risk management program and cyber risk appetite, which include:
- The key cybersecurity threats their organizations face
- The main threat actors and their motives
- Their targets and potential security loopholes
- The desired business outcome they are seeking
It’s also beneficial to identify cybersecurity board metrics as it helps to prioritize the most critical cyber risks and align security investments with those risks and strategic goals.
Here’s a list of useful cybersecurity metrics for the board:
- Cyber risk. What is the percentage of suspicious activities out of all user activities?
- Time to assess and eliminate a cyber incident. How much time does it take to identify and eliminate the risk?
- Previous audits of the cybersecurity program. What has been done so far for improving the company’s security and becoming cyber-resilient?
- Remaining vulnerabilities. What are the cyber vulnerabilities that still require patching?
Only 33% of directors say their board understands the company’s cyber risk issues well. |
2. Embed cyber risk in business strategy
To reduce the overall risk or impact of a cybersecurity threat, boards of directors should remember about cyber risk components when making strategic decisions. This is especially important when a company decides to:
- Adopt new technologies
- Change business operations
- Enter new markets
- Develop new products or services
- Acquire or merge with another company
- Collaborate with third parties to produce products or services
Each of these decisions and actions can potentially lead to cyber attacks, especially if a company shares personal information. That’s why a proper cybersecurity strategy is a must.
3. Monitor cyber resilience
Cyber resilience is a measure of business strength in preparing for, operating through, and recovering from a cyber attack.
A successful cyber resilience strategy requires a comprehensive approach that usually includes four steps:
- Identify. Identify what exactly should be protected. For that, cyber experts should regularly scan the organization’s IT footprint.
- Protect. Take appropriate precautions to avert a cyber security event. To mitigate the risk, employee devices should have protection solutions that automatically block cyber intrusions.
- Respond. Have a plan in case of a cyber attack. It allows cybersecurity professionals to act fast and efficiently when a breach is detected.
- Recover. Back up critical servers to recover damaged devices quickly and get back to work without significant losses.
4. Form the organizations’ cybersecurity culture
It’s the board’s responsibility to raise awareness about the importance of cybersecurity. Here are three steps corporate directors can take to ensure strong cybersecurity culture:
1. Promote cyber-hygiene from the top down:
- Encourage an executive director and other board members to be the first to integrate cybersecurity practices.
- Encourage your executives to take part in cybersecurity training.
2. Avoid confusion:
- Communicate clear and transparent cybersecurity requirements to employees.
- Have a clear and easy system for reporting any suspicious activity to your cybersecurity team.
- Make training engaging and worth employees’ time.
3. Implement a strategy of zero trust:
- Explain to employees how cybersecurity affects both personal privacy and customer data.
- Explain to employees that businesses can be held publicly accountable for any violations or breaches.
Board of directors cybersecurity principles
Here are the major board of directors cybersecurity principles:
- See cybersecurity as a strategic business enabler
- Align cyber-risk management with business needs
- Encourage systemic resilience and collaboration
- Incorporate cybersecurity expertise into board governance
See cybersecurity as a strategic business enabler
Cybersecurity is more than just a preventive measure. It can help a business grow.
Here’s why the board of directors cybersecurity is so important:
- Customer confidence and loyalty. Better security leads to more sales, greater satisfaction, and higher customer retention rates. This is proved by the research where almost 90% of businesses said strong cyber security would help their reputation in the market and improve customer loyalty.
- Productive business. A reliable incident response plan ensures an organization can reduce the disruption to operations in case of a cyber attack.
71% of executives say that cybersecurity concerns impede innovation in their organization. |
Align cyber-risk management with business needs
Many companies struggle to align their cyber risk management activities with business strategies. But to make a business grow and expand, organizations should create partnerships between business leaders and those responsible for managing enterprise cyber risk. Here’s how to achieve it:
- Gather a cyber governance committee. It can include key stakeholders and cybersecurity experts that together can develop cyber risk management strategies.
- Enhance the role of the CISO. A CISO should ensure that the objectives of the organization’s cybersecurity program are aligned with its business goals. Another CISO’s responsibility is to make communication between security staff and key stakeholders clear and straightforward.
Encourage systemic resilience and collaboration
According to the World Economic Forum findings, the risk of cybersecurity failure represents a critical global threat in both the short and long term. This means that since modern organizations are highly interconnected, the cyber threat landscape goes far beyond one enterprise and can affect entire industries and sectors.
That’s why systematic resilience and collaboration should be encouraged. Here’s what can be done:
- Develop peer networks to share best corporate governance practices across your industry.
- Ensure management has plans for effective collaboration with the public sector on improving cyber resilience.
- Encourage management participation in industry information-sharing platforms.
Incorporate cybersecurity expertise into board governance
To ensure an organization’s cybersecurity, corporate boards should continually expand their own knowledge and expertise. For example, they can:
- Communicate with internal stakeholders who can share their experience and help make decisions on cybersecurity.
- Seek recommendations and help from third-party advisers.
- Conduct audits and reviews of cybersecurity strength by independent third parties.
- Keep the board up-to-date on recent cyber incidents, trends, and vulnerabilities.
How the board of directors can prepare for the new cybersecurity rules
The new regulations issued by the SEC are changing the boards’ role in cybersecurity. Now, public companies have to disclose whether their boards have members with cybersecurity expertise.
There are certain practices that will help you to make sure the level of the board of directors cybersecurity knowledge is enough for new rules:
- Educate board members
- Rethink cyber budgets
- Leverage secure board management software
Educate board members
By consistently implementing regular and easy-to-understand training, organizations become one step closer to ensuring cyber resilience and mitigating human error. Here’s what can be done:
- IT teams and cyber experts need to take the time to educate boards and employees about cyber crimes like phishing, cyber extortion, or ransomware attacks.
- Boards should add discussions of current cybersecurity risks and preventative measures to the agenda. By doing it, board members have an opportunity to raise questions and define their role in helping address cybersecurity threats.
Rethink cyber budgets
Forrester, a leading global market research company, released a report to help organizations correctly allocate cyber budgets. Here are the main recommendations:
- Spend more on cloud security. According to the report, 58% of organizations will move their application portfolios to a public cloud in the next two years. But this area still remains one of those that organizations tend to underspend on.
- Spend more on security awareness. Even though it’s tempting to cut expenses on training and education, organizations won’t benefit in the long run as it’ll ultimately lead to a skills shortage, data breaches, and financial losses.
Leverage secure board management software
Board management software is a tool that organizations can use to streamline their cybersecurity processes and data protection. Here’s what they can use it for:
- Board materials storage and distribution. Store and share any confidential information securely in one centralized place.
- Meetings. Conduct a secure virtual board meeting anywhere and anytime.
- Activity tracking. Use the activity dashboard to monitor what other board members and employees do, what meetings they attend, what documents they upload, etc.
- Task assignment. Create tasks and assign them to cybersecurity experts.
You can check out the guide to find the most suitable board management software for your organization’s needs.
Modern management tools for the board of directors cybersecurity
A board portal is a management tool that boards can use to securely collaborate and share board materials with the purpose to increase their cybersecurity expertise.
Here are the main advantages of board portals:
- Security. There are numerous security features that ensure a board can safely store and share cybersecurity information. For example, two-factor authentication or encryption of sensitive data. Besides, a board administrator can adjust user access permissions.
- Accessibility. Since it’s sometimes difficult to gather board members for offline meetings, it’s much more convenient to meet them online on a secure board portal where no one should worry about data leakage.
- Effective communication. Due to numerous collaboration tools like chats, document annotations, mentions, comments, voting, and reminders, you can facilitate and speed up the process of making strategic decisions on cybersecurity.
- Environmental friendliness. Sustainability has gone mainstream in the corporate world. By adopting a board portal and conducting a paperless board meeting, boards can significantly reduce environmental impact. It also helps to attract investors who believe that a corporation’s performance on environmental, social, and governance (ESG) factors influences its profitability.
If you are looking for board management software, try the board portal by iDeals. It is a TOP-1 choice of our experts.
Time to use the modern board management software!
iDeals Board serves board of directors, committee members with a comprehensive suite for governance tools
Visit WebsiteFAQ
What a board needs to know about cybersecurity?
Board of directors cybersecurity knowledge should be sufficient to comply with the SEC regulations. Among the most important things to learn are the key cybersecurity threats their organizations face, the main threat actors, their motives, what they are targeting, and what the potential impact on business is.
What is the board’s role in the event of an incident?
The board of directors’ role in cybersecurity is significant. Among numerous responsibilities, the most crucial ones are to embed cyber risk in business strategy, monitor cyber resilience, and form the organizations’ cybersecurity culture.