Questions for the Board to Ask Management about Cybersecurity

In brief: Produced with the NACD Director’s Handbook on Cyber-Risk Oversight, these questions are designed to guide directors as they work to strengthen oversight of their company’s cybersecurity. Questions are focused on the following areas of cybersecurity oversight: situational awareness, strategy and operations, insider threats, supply-chain and third-party risks, incident response, and post-cybersecurity incident review.

This resource can help your board

• Improve cybersecurity-related communications from management.

• Assess the company’s vulnerabilities and strengthen its cybersecurity posture according to leading practices.

• Respond appropriately in the case of a cyber incident.

Most relevant audiences: risk committee members, audit committee members, and chief information security officers.

Situational Awareness

1. Were we told of cyberattacks that have already occurred and how severe they were?

2. What are the company’s cybersecurity risks, and how is the company managing these risks?

3. How will we know if we have been hacked or breached, and what makes us certain we will find out?

4. Who are our likely adversaries?

5. In management’s opinion, what is the most serious vulnerability related to cybersecurity (including within our IT systems, personnel, or processes)?

6. If an adversary wanted to inflict the most damage on our company, how would they go about it?

7. Has the company assessed the insider threat?

8. When was the last time we conducted a penetration test or an independent external assessment of our cyber defenses? What were the key findings, and how are we addressing them? What is our maturity level?

9. Does our external auditor indicate we have cybersecurity-related deficiencies in the company’s internal controls over financial reporting? If so, what are they, and what are we doing to remedy these deficiencies?

Strategy and Operations

1. What are the leading practices for cybersecurity, and where do our practices differ?

2. Do we have appropriately differentiated strategies for general cybersecurity and for protecting our mission-critical assets?

3. Do we have an enterprise-wide, independently budgeted cyber-risk management team? Is the budget adequate? How is it integrated with the overall enterprise risk management process?

4. Do we have a systematic framework, such as the National Institute of Standards and Technology Cybersecurity Framework, in place to address cybersecurity and to assure adequate cybersecurity hygiene?

5. Where do management and our IT team disagree on cybersecurity?

6. Do the company’s outsourced providers and contractors have cybersecurity controls and policies in place? Are those controls monitored? Do those policies align with our company’s expectations?

7. Does the company have cyber insurance? If so, is it adequate?

8. Is there an ongoing, company-wide awareness and training program established around cybersecurity?

9. What is our strategy to address cloud, BYOD (bring your own device), and supply-chain threats?

10. How are we addressing the security vulnerabilities presented by an increasingly mobile workforce?