Overseeing cyber risk: the board’s role

Addressing cyber risk is a challenge for nearly any company and its board. Cyber is a complex, technical area with emerging threats occurring almost weekly. Most board members are not cyber experts, yet boards have an obligation to understand and oversee this significant risk. They need active engagement with leadership, access to expertise, and robust information and reporting from management. 

Learn more about the current threat environment and what your companies can do to mitigate risk.

Download the report


Four areas where boards should take action to support their company in establishing an effective cybersecurity risk management program

Questions for directors and management about embedding cyber risk 

  • Does the company employ multi-factor authentication on all accounts (including VPN access) to control access?

  • Who has responsibility for the company’s third-party risk management program?

  • Does the company engage in robust patching and vulnerability management? 

...read more in the report.

Questions for directors to ask to understand a company’s risk posture 

  • Know company’s key cyber risks 

  • Who are the main threat actors and what are their motives?

  • What are they targeting and what is the potential business impact?

...read more in the report.

In addition to the broad questions to ask about a crisis response plan, boards will want to:

  • Understand how often back-ups of data are done in mission-critical systems 

  • Consider whether adequate resources are allocated to both protecting systems and to responding and recovering from breaches

  • Understand the key provisions of the cyber insurance policy at the company - review What you need to know about cyber insurance for more details.

...read more in the report.

How can directors improve their knowledge of cybersecurity?

  • Hold deep-dive discussions about the company’s risk posture

  • Attend external programs. There are many conferences that focus on cyber risk oversight where directors can learn about new developments and get insights from experts on the topic

  • Request presentations from law enforcement (e.g., the FBI) and other experts on the different threat environments

...read more in the report.

In conclusion

Cybersecurity can be an intimidating area for the board to oversee. However, a well thought out approach to oversight, robust reporting, and a strong relationship with the CISO can pave the way for greater understanding and collaboration between the board and management on this critical topic.

Contact us

Maria Castañón Moats

Maria Castañón Moats

Leader, Governance Insights Center, PwC US

Sean Joyce

Sean Joyce

Global Cybersecurity & Privacy Leader, US Cyber, Risk and Regulatory Leader, PwC US

Joseph Nocera

Joseph Nocera

Cyber, Risk and Regulatory Marketing Lead Partner, PwC US

John  Oleniczak

John Oleniczak

Partner, Governance Insights Center, PwC US

Barbara Berlin

Barbara Berlin

Managing Director, Governance Insights Center, PwC US

Catie Hall

Catie Hall

Director, Governance Insights Center, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.