Overseeing cyber risk: the board's role

November 30, 2023

Addressing cyber risk may be a challenge for nearly any company and its board. While boards are more engaged in overseeing cyber today, it’s still a complex, technical area with emerging threats occurring almost weekly. Most board members are not cyber experts, yet boards have an obligation to understand and oversee this significant risk. They need active engagement with leadership, access to expertise, and robust information and reporting from management.

Our latest report outlines four key areas in which boards should take action to support their companies in establishing effective cybersecurity risk management programs.

Download the report

Four key areas in which boards should take action to support their companies in establishing effective cybersecurity risk management programs

Many strategic decisions have a cyber risk component. For example, adopting new technologies to innovate or better enable and connect a remote workforce changes the company’s cyber risk profile.

Next steps:

Give the chief information security officer (CISO) a seat at the table when addressing strategic decisions and the company’s plan.
Get metrics on the effectiveness of employee training and awareness for cyber risks as well as the remediation efforts for those that do not comply or lack understanding of the risks.
Ask others outside of the CISO, like business unit and other functional leaders, how they address cyber risk in their departments and key product and service offerings.

…read more in the report.

Boards want to know whether management is focusing on the right cyber risks, how management is addressing those risks and whether it’s enough. This starts with understanding the company’s cyber risk management program and cyber risk appetite.

Next steps:

Understand the key cyber risks to the organization and how the executive team is managing these risks.
Take a fresh look at the board’s cyber reporting and get consistent and holistic information to help the board make decisions.
Understand significant new laws and regulations in the cyber/privacy areas and their impact on the business, and get updates on how the company is staying up to date with and meeting those requirements.

…read more in the report.

Even with a robust risk management program, there still can be a successful breach and boards should focus their attention on resilience plans.

Next steps:

Oversee documentation of the company’s incident response plan and understand how often it is tested by management.
Make sure the CISO is included in the company’s disclosure controls and procedures process.
Discuss lessons learned from other public security breaches with management and whether the incident response plan is updated for these learnings.

…read more in the report.

By now, all boards have allocated cyber risk oversight somewhere — either to a committee or the full board. But boards periodically should reassess their allocation to determine that it is effective.

Next steps:

Reassess where cybersecurity oversight sits on your board and whether the board has cybersecurity skills/expertise, or has access to cybersecurity skills/expertise, to perform its oversight role.
Evaluate how your board is continuing to get upskilled and educated on cybersecurity.
Update the relevant charter with language that provides insight into the committee’s responsibility, under the direction of counsel.

…read more in the report.

In conclusion

Cybersecurity may be an intimidating area for the board to oversee. However, a well-thought-out approach to oversight, robust reporting and a strong relationship with the CISO can pave the way for greater understanding and collaboration between the board and management on this critical topic.

Contact us

Ray Garcia

Partner & Leader, Governance Insights Center, PwC US

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US

Barbara Berlin

Managing Director, Governance Insights Center, PwC US

Matt Gorham

Cyber & Risk Innovation Institute Leader, PwC US

David Ames

Principal, Cyber, Risk & Regulatory, PwC US

Catie Hall

Director, Governance Insights Center, PwC US

Hide

Required fields are marked with an asterisk(*)

First Name*

Last Name*

Company Name*

Job Title*

Job Function*

Email address*

Location*

Your personal information will be handled in accordance with our Privacy Statement. You can update your communication preferences at any time by clicking the unsubscribe link in a PwC email or by submitting a request as outlined in our Privacy Statement.

© 2017 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

Overseeing cyber risk: the board's role

Four key areas in which boards should take action to support their companies in establishing effective cybersecurity risk management programs

In conclusion

Related content

Contact us

Thank you for your interest in PwC

Overseeing cyber risk: the board's role

Four key areas in which boards should take action to support their companies in establishing effective cybersecurity risk management programs

In conclusion

Related content

Ransomware and the board’s role: what you need to know

SEC’s cyber disclosure rule

Cyber breach reporting to be required by law for better cyber defense

The C-suite playbook - Bridging the gaps to cyber resilience

Contact us

Thank you for your interest in PwC