Executive Summary
Cyber risk is no longer just an IT issue; it's a critical business risk that requires board-level attention. In today's digital world, a major cyberattack can have a devastating impact on an organization's finances, reputation, and operations.
The threat of cyberattacks is one of the most significant challenges facing organizations today. From ransomware and phishing attacks to data breaches and intellectual property theft, the cyber threat landscape is constantly evolving and becoming more sophisticated. A major cyberattack can have a devastating impact on an organization, resulting in financial losses, reputational damage, and operational disruption. As a result, cyber risk has become a top priority for boards of directors.
A 2026 survey by the NACD found that 83% of boards are now discussing cybersecurity at every board meeting. This is a significant increase from just a few years ago, and it reflects the growing recognition that cyber risk is a critical business risk that requires board-level attention.
The board of directors has a critical role to play in overseeing the organization's cybersecurity risk management program. This includes:
**Establishing a clear governance structure:** The board should establish a clear governance structure for cybersecurity, with defined roles and responsibilities for the board, management, and the IT department. This may include establishing a dedicated cybersecurity committee of the board.
**Understanding the cyber threat landscape:** The board should have a clear understanding of the cyber threat landscape and the specific cyber risks that the organization faces. This requires regular briefings from the chief information security officer (CISO) and other cybersecurity experts.
**Approving the cybersecurity strategy and budget:** The board should review and approve the organization's cybersecurity strategy and budget. This will help to ensure that the organization is investing in the right resources and capabilities to protect itself from cyber threats.
**Overseeing the implementation of the cybersecurity program:** The board should oversee the implementation of the organization's cybersecurity program and monitor its effectiveness. This includes reviewing regular reports on the program's performance and asking tough questions of management.
**Planning for a cyber incident:** The board should ensure that the organization has a well-defined incident response plan in place to respond to a cyberattack. This plan should be regularly tested and updated.
Building a cyber-resilient organization is a journey, not a destination. It requires a long-term commitment from the board and from management to continuous improvement. By embracing these best practices, boards can enhance their oversight of cyber risk and help to protect their organizations from the ever-present threat of cyberattacks.
Actionable Recommendations
Establish a dedicated cybersecurity committee of the board.
Schedule regular briefings from the CISO and other cybersecurity experts.
Review and approve the organization's cybersecurity strategy and budget.
Ensure that the organization has a well-defined incident response plan in place.