Overseeing cyber risk: the board's role

Addressing cyber risk may be a challenge for nearly any company and its board. While boards are more engaged in overseeing cyber today, it’s still a complex, technical area with emerging threats occurring almost weekly. Most board members are not cyber experts, yet boards have an obligation to understand and oversee this significant risk. They need active engagement with leadership, access to expertise, and robust information and reporting from management.

Our latest report outlines four key areas in which boards should take action to support their companies in establishing effective cybersecurity risk management programs.

Download the report

Four key areas in which boards should take action to support their companies in establishing effective cybersecurity risk management programs

Many strategic decisions have a cyber risk component. For example, adopting new technologies to innovate or better enable and connect a remote workforce changes the company’s cyber risk profile.

Next steps:

  • Give the chief information security officer (CISO) a seat at the table when addressing strategic decisions and the company’s plan.
  • Get metrics on the effectiveness of employee training and awareness for cyber risks as well as the remediation efforts for those that do not comply or lack understanding of the risks.
  • Ask others outside of the CISO, like business unit and other functional leaders, how they address cyber risk in their departments and key product and service offerings.

…read more in the report.

Boards want to know whether management is focusing on the right cyber risks, how management is addressing those risks and whether it’s enough. This starts with understanding the company’s cyber risk management program and cyber risk appetite.

Next steps:

  • Understand the key cyber risks to the organization and how the executive team is managing these risks.
  • Take a fresh look at the board’s cyber reporting and get consistent and holistic information to help the board make decisions.
  • Understand significant new laws and regulations in the cyber/privacy areas and their impact on the business, and get updates on how the company is staying up to date with and meeting those requirements.

…read more in the report.

Even with a robust risk management program, there still can be a successful breach and boards should focus their attention on resilience plans.

Next steps:

  • Oversee documentation of the company’s incident response plan and understand how often it is tested by management.
  • Make sure the CISO is included in the company’s disclosure controls and procedures process.
  • Discuss lessons learned from other public security breaches with management and whether the incident response plan is updated for these learnings.

…read more in the report.

By now, all boards have allocated cyber risk oversight somewhere — either to a committee or the full board. But boards periodically should reassess their allocation to determine that it is effective.

Next steps:

  • Reassess where cybersecurity oversight sits on your board and whether the board has cybersecurity skills/expertise, or has access to cybersecurity skills/expertise, to perform its oversight role.
  • Evaluate how your board is continuing to get upskilled and educated on cybersecurity.
  • Update the relevant charter with language that provides insight into the committee’s responsibility, under the direction of counsel.

…read more in the report.

In conclusion

Cybersecurity may be an intimidating area for the board to oversee. However, a well-thought-out approach to oversight, robust reporting and a strong relationship with the CISO can pave the way for greater understanding and collaboration between the board and management on this critical topic.

Contact us

Ray  Garcia

Ray Garcia

Leader, Governance Insights Center, PwC US

Sean Joyce

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US

Barbara Berlin

Barbara Berlin

Managing Director, Governance Insights Center, PwC US

Matt Gorham

Matt Gorham

Cyber & Privacy Innovation Institute Leader, PwC US

David Ames

David Ames

Principal, Cyber, Risk & Regulatory, PwC US

Catie Hall

Catie Hall

Director, Governance Insights Center, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide