Sharpening the board’s role in cyber risk oversight

The importance of having strong dialogue with management

Boards can take various approaches to fulfill their cyber-risk oversight duties. For example, some boards have a separate entry on their risk map to monitor cyber risk and make it a full board responsibility. Others keep oversight within the domain of the audit or risk committee. Whichever applies, cyber risk should be on board or commit-tee agendas annually if not more frequently.

Management’s duty is to align the cyber risk program to a detailed business risk profile. This profile should reflect an understanding of likely attackers, their objectives, which assets are most at risk, and the impact of those assets being compromised. When alignment is off, it’s the board’s duty to challenge management to construct a more tightly aligned program. In their over-sight role, boards need to know the right questions to ask and how to monitor the effectiveness of management’s plans and responses. Such questions can include: Who is the appropriate executive to be leading cyber risk management? What are the greatest cyber threats our organization faces?”; and “What are the ‘crown jewels’ that we must protect, including data and other assets?”

Read 'Sharpening the board's role in cyber risk oversight'