Best practices for board-level cybersecurity oversight
Corporate boards must play an increasingly active role in overseeing cybersecurity strategies. Here's what they need to know, from SEC disclosure requirements to best practices.
In an era of escalating digital threats, the corporate board finds itself under increasing pressure to provide meaningful cybersecurity oversight.
Since 2023, the Securities and Exchange Commission (SEC) has mandated that public companies disclose their board-level cybersecurity oversight practices in annual filings, underscoring the fact that cyber-risk is now a fundamental aspect of corporate governance. To meet these obligations effectively, boards must establish clear governance structures, engage proactively with cybersecurity leaders and integrate cyber-resilience into broader business strategies.
SEC to boards: Cybersecurity oversight matters
The SEC's Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure rules require public companies to detail the following cybersecurity oversight practices.
Board-level cybersecurity responsibilities
Companies must specify whether a committee, subcommittee or individual board member is responsible for cybersecurity oversight.
Many organizations delegate this duty to the audit committee, risk committee or a dedicated cybersecurity subcommittee. At Nemertes Research, we usually see clients assign oversight responsibilities to the risk committee -- which is appropriate, as cybersecurity directly impacts business risk, not just IT risk.
Frequency of cybersecurity discussions
Boards must disclose how often they review cyber-risk matters and how frequently they meet with their CISOs.
Best practices suggest CISOs and boards should meet quarterly, with ad hoc meetings during significant cyberincidents. The committee responsible for cybersecurity oversight -- e.g., the risk committee -- should discuss cybersecurity issues at least monthly.
Cybersecurity's role in business strategy and risk management
Boards must demonstrate how they evaluate cybersecurity risks in the context of mergers, acquisitions, supply chain management and digital transformation initiatives.
Approach cyber-risk as an integral part of corporate strategy and enterprise risk management, rather than treating it in isolation.
Approach cyber-risk as an integral part of enterprise risk management and corporate strategy, rather than treating it in isolation. That said, it's best to establish a direct reporting line between the CISO and someone other than the chief risk officer. A conflict of interest arises when one person has responsibility for both assessing risk and mitigating it.
Incident awareness and response protocols
Corporate directors must outline how they become aware of cybersecurity incidents and emerging risks.
For example, boards might rely on real-time security event dashboards, periodic threat intelligence briefings and established protocols that dictate when and how cybersecurity teams inform them of active incidents. The good news is that many tools on the market today make it easy to generate and access such information.
Best practices for board-level cybersecurity oversight
Consider the following best practices to ensure the corporate board meets its cybersecurity oversight obligations.
Establish a dedicated cybersecurity oversight structure
Effective cybersecurity oversight requires a clear governance structure. This should include the following:
A specialized board committee, such as the risk or audit committee, that oversees cybersecurity issues.
At least one member with cybersecurity expertise who provides fellow directors with subject-matter competency training.
External cybersecurity advisors who supplement internal board-level expertise as necessary.
Ideally, the responsible committee should also instigate annual third-party security assessments to keep pace with emerging threats.
Regularly engage with cybersecurity leadership
Maintain an ongoing dialogue with the CISO and other cybersecurity leaders, ensuring every quarterly board agenda includes cybersecurity briefings. Ask the CISO to provide reports on key risk indicators, threat intelligence and cybersecurity investments.
The risk committee, or its equivalent, should discuss cybersecurity issues monthly and whenever major threats or incidents occur. Position cybersecurity discussions within the broader contexts of business risk management and business strategy.
Integrate cybersecurity into enterprise risk management
Treat cybersecurity as a critical component of the company's overall risk profile, starting with the following steps:
Align cybersecurity risk assessments with financial, operational and compliance risk evaluations.
Incorporate cybersecurity into business scenario planning and stress-testing exercises.
If cybersecurity insurance is part of the cyber risk management strategy, treat it as a tool but not a panacea. Policies are becoming more costly and covering fewer incidents, with insurers requiring greater proof for claims.
Establish clear cyberincident reporting protocols
Timely and open communication is vital during cybersecurity incidents. With that in mind, define clear thresholds that determine when and how incident response teams should involve the board.
Set clear policies for when and how to communicate security incidents to customers, regulators and the public. Note that proactive and transparent reporting better serves a company's reputation than failing to report an incident that later becomes public.
Implement an incident response framework that aligns with regulatory disclosure requirements. And finally, conduct post-incident reviews to assess lessons learned and improve response strategies.
Insist on regular security incident training
Organizations often conduct security awareness training annually, with repetitive programming that fails to meaningfully educate employees.
Ideally, hold security training at least quarterly and include information about realistic threats, such as ransomware attacks. Test users' knowledge and offer constructive after-action reviews to help them improve.
The board should receive aggregated test results, which they can use to identify blind spots and inform further security awareness training programming. This continuous improvement approach to security is critical to achieving enterprise security agility.
Stay informed about emerging threats and regulations
The evolving cybersecurity landscape requires business leaders to continuously learn and adapt. With this in mind, boards should participate in regular cybersecurity training sessions and tabletop exercises. In addition, they should stay informed about evolving regulatory requirements, industry best practices and threat intelligence, with CISOs covering these topics in their quarterly security board reports. Finally, directors should consider working with external cybersecurity experts and industry groups to benchmark the organization's security posture against its peers.
The SEC's cybersecurity disclosure requirements reflect the increasing importance of cyber-risk in corporate governance. Ensure board-level cybersecurity oversight by implementing structured mechanisms, maintaining regular engagement with cybersecurity leadership and integrating cybersecurity into broader risk management strategies. Proactive cybersecurity governance mitigates risk and strengthens stakeholder trust and business continuity in an increasingly digital world.
Jerald Murphy is senior vice president of research and consulting with Nemertes Research. With more than three decades of technology experience, Murphy has worked on a range of technology topics, including neural networking research, integrated circuit design, computer programming and global data center design. He was also the CEO of a managed services company.
