NACD Risk Oversight Advisory Council: Current and Emerging Practices in Cyber-Risk Oversight
In brief: As cyberattacks increase in frequency and severity, cybersecurity oversight continues to top the list of boardroom priorities. Data from the 2018–2019 NACD Public Company Governance Survey find that directors selected the threat of cyberbreach as the third-most-likely trend to have the greatest impact on their companies in the coming 12 months. NACD data also find that a significant number of directors of both public and private companies are looking to improve cybersecurity oversight across the coming year—97 percent and 94 percent, respectively.
On March 13, 2019, NACD, PwC, and Sidley Austin LLP convened a meeting of the NACD Risk Oversight Advisory Council. The discussion with risk and audit committee chairs from Fortune 500 companies focused on leading practices related to the board’s oversight of cybersecurity risks. The following insights emerged from the discussion:
- At its core, cybersecurity is a people issue, and boards should tailor their oversight activities accordingly.
- Cyber-risk reporting to the board should evolve to keep pace with the changing needs of the organization, and of the board itself.
- Boards should ask how their companies are engaging in information sharing within their own industries and with the public sector.
This resource can help your board to
- probe your management team on the implications of its approach to cyber policies, processes, and incentives;
- assess enterprise-wide blind spots in cybersecurity strategy;
- evaluate the expertise and talent necessary to execute the organization’s broader cybersecurity strategy;
- examine the format and content of cyber-risk reporting; and
- consider avenues through which your company can engage in information sharing within its industry or the public sector.
Most relevant audiences: risk committee members, audit committee members, CEOs, chief risk officers, chief technology officers, chief information security officers