Credentials
NACD Directorship Certified®
The premier designation for directors in the United States
Trending Oversight Topics
Governance Surveys
Center for Inclusive Governance
Boardroom Tools
Enhancing Cybersecurity Oversight Disclosures—10 Questions for Boards
04/12/2021
In brief: This tool provides directors with key questions to pose to their management teams on cybersecurity disclosures for the organization. Enhancing cybersecurity disclosures ensures that legal risks and cyber risks are both being adequately addressed. This tool originally appeared in the publication Cyber-Risk Oversight 2020: Key Principals and Practical Guidance for Corporate Boards.
This resource can help your board to
understand the legal impacts of cyber risks,
question management on cybersecurity disclosures, and
enhance cybersecurity disclosures within the corporation.
Most relevant audiences: Risk committee chairs, risk committee members, and CISOs
Cybersecurity attacks are among the gravest risks that businesses face today. EY’s 2019 CEO Imperative Survey found that CEOs ranked national and corporate cybersecurity as the top global challenge to business growth and the global economy. As discussed in Principle 2, directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances, including potential requirements related to disclosures. This Tool offers 10 questions that boards can ask to enhance cybersecurity disclosures within their organization.
In this environment, stakeholders want to better understand how companies are preparing for and responding to cybersecurity incidents. They also want to understand how boards are overseeing these critical risk-management efforts. EY’s annual Center for Board Matters investor outreach includes conversations with governance specialists from more than 60 institutional investors representing more than US $32 trillion in assets under management. Sixty-one percent of respondents said cybersecurity, regardless of sector, was among those elevated risk issues, even though investors characterize cyber risk as a pervasive and standard risk impacting all companies. Some of the key themes arising from those conversations were these:
an interest in understanding how boards are structuring oversight (i.e., is a committee or the full board charged with that responsibility)
how directors are developing competence around and staying up-to-speed on cyber issues
how often and who from management is reporting to the board
key features of how management is addressing cyber risk
many investors also expressed interest in data-privacy issues and compliance with new privacy laws and regulations
In response, many companies are enhancing their cybersecurity disclosures, with the most significant changes related to board oversight practices. (See Figure 1.)
Thank you for your interest in this page.