Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

Boards: Supporting cybersecurity risk management & mitigation

By Patrick Niemann
boardroom

Image by Benjamin Child from Unsplash

November 21, 2022

Corporate cybercrime concerns and costs are greater than ever. Cyberattackers shut down systems that halt operations as they seek to hold corporations and other organizations hostage, demanding ransomware payments that are oftentimes in the tens of millions of dollars. Global payouts exceeded $400 million in 2020, according to The White House. The Federal Bureau of Investigation’s Internet Crime Complaint Center recently reported that “Business E-mail Compromise (BEC) schemes cost U.S. businesses more than $2 billion last year,” and that cyber incidents reported to the center totaled nearly $7 billion in potential losses in 2021.


The U.S. Cybersecurity & Infrastructure Agency (CISA) earlier this year responded to geopolitical concerns, guiding organizations to take a “shields up” approach to defend against cyberattacks. Make no mistake: This defense is no longer just the responsibility of the information technology department or the chief information security officer. A shields up approach requires enterprise involvement from the top down, and corporate boards play a critical role in setting the tone for enterprises.


Regulators, lawmakers and insurance companies are all focused on how companies defend against and respond to cybersecurity incidents. To that end, the U.S. Securities and Exchange Commission (SEC) proposed rule changes that are expected to take effect in 2023 to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.” In the interim, more can be done now to engage boards in cybersecurity governance.


Board directors and the companies they advise are aware of the criticality of cybersecurity, and their perspective can deliver tremendous value in a time of crisis. However, many are more likely to say the value they add is in more traditional board oversight areas, such as capital allocation, succession planning, enterprise risk management, or even mergers and acquisitions. The good news is that directors are hungry for knowledge about leading practices, and they welcome the perspective that can be gained from external advisors and experts.


Build board cybersecurity expertise

To realize a greater benefit from corporate boards as it relates to their cybersecurity governance, organizations should consider ways to expand the cybersecurity knowledge that is resident on their boards. An EY analysis of proxy statements and Form 10-K filings over the past five years quantified gains that have been made as companies rise to the challenge.


For instance, Fortune 100 disclosures of director cybersecurity skills and expertise increased to 61% of the 74 companies included in 2022, up from 35% in 2018. Additionally, just over half (51%) of Fortune 100 corporations studied this year reported at least one director with cybersecurity expertise in their biography. That is up from 28% in 2018.


Elevate the board’s cybersecurity risk focus

While cybersecurity is a responsibility of the full board, most Fortune 100 companies (88%) now assign oversight to at least one board-level committee, up 16% over 2021. In some instances, cybersecurity may be delegated to a subcommittee, but it is a priority for the full board. Oftentimes it falls to the audit committee.


To further their progress and increase cyber resilience, boards should engage in cyber readiness simulations with the companies they advise to understand where there are opportunities to strengthen cyber defenses, as well as what the board should expect when notified about an incident. For example, only 9% of companies disclosed that they engage in cyber threat simulations and response readiness tests, but even that is up from just 3% in 2018.


The board and corporate management need to be on the same page before a ransomware attack occurs and should decide whether a ransom payment would be approved and under what circumstances. That agreement can be worked through as part of a cybersecurity breach simulation, instead of making decisions in the heat of the moment.


Keep the board abreast of management progress

While board members should raise questions about cybersecurity, they also should receive regular management reports. Just over two-thirds (68%) of Fortune 100 companies are disclosing the frequency of their management reports to their board. That is about twice what was disclosed in 2018.


If a board does not receive regular reports from management, particularly from the chief information security officer (CISO), it’s crucial that they request these updates. In receiving specific updates and disclosing them, boards help stakeholders recognize that cyber is viewed as an enterprise risk, not just an IT risk.


Stay current on public policy and other cybersecurity developments

Collaboration with industry groups, policymakers and peers can be helpful as boards seek to stay current on advancements in cybersecurity practices and requirements that may be written into future laws or regulations. For instance, if proposed SEC regulations are finalized, an organization is required to disclose a material cybersecurity event in a Form 8-K within four days of the attack if there is a “substantial likelihood” that a reasonable shareholder would consider the event important. Periodic updates will be necessary thereafter.


It is also good practice for boards to schedule deep-dive briefings with independent third-party experts to help them evaluate whether their company’s cyber risk management program meets their objectives.  


Mind the cyber governance gap with vigilance

Although companies are making progress, more work remains to defend and respond against the eventuality of a cyberattack — from the top down. Boards have a fiduciary responsibility in their governance capacity to set the tone with their vigilance, engage with the business on its cybersecurity, and demonstrate the criticality of cybersecurity risk mitigation and management through their questions and communication. In doing so, boards also demonstrate to investors and other stakeholders that, with senior management, the company has established a cybersecurity management structure to defend against cyber risks and quickly respond in the event of an attack.

KEYWORDS: board of directors cyber security governance risk risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Patrick Niemann, as the Leader of the EY Audit Committee Forum, is responsible for the EY Center for Board Matters’ audit committee services throughout the Americas. He is a graduate of the University of Southern California Marshall School of Business.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • board of directors freepik

    Corporate boards are better at cybersecurity but still need improvement

    See More
  • security-cyber-leadership.jpg

    Top 12 physical security, cybersecurity & risk management stories of 2022

    See More
  • cybersecurity-data-protection freepik

    Effective cyber risk mitigation requires a holistic mindset-shift

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing