The corporate board bears a crucial responsibility for managing cybersecurity risks that threaten organizations of all sizes. As overseers of the company’s cybersecurity posture, board members must take active steps to protect its assets and data from cyber threats. However, some board members may not fully understand their personal liability for lack of oversight in this area.

Under corporate governance laws, board members have a fiduciary duty to act in the best interests of the shareholders and protect the company from cyber threats. If a board member fails in this duty, they may face personal liability for any resulting losses or damages. According to the landmark 1996 ruling in Caremark, directors can be held accountable if they fail to properly monitor and oversee the company or if their inaction results in a loss. Furthermore, if the company breaches data protection laws, such as the EU’s GDPR, board members may be accountable.

A framework for addressing cybersecurity risk.

To effectively mitigate cybersecurity risk, the corporate board should take the following steps:

  1. Stay informed: Invite the CISO or vCISO to present updates, but don’t rely solely on these presentations. Have a board member with technical expertise stay current with industry news, attend security conferences and events, and engage with security experts.
  2. Assess risk posture: Conduct a comprehensive risk assessment to identify areas of weakness and potential vulnerabilities.
  3. Develop a cybersecurity strategy: Based on the results of the risk assessment, outline steps to mitigate risk and protect against cyber threats, including the implementation of technologies, processes, and training programs.
  4. Allocate resources: Ensure the organization has adequate funding and staffing to implement and maintain its security posture.
  5. Foster a culture of security: Encourage security awareness and training throughout the organization and incorporate security into company policies and procedures.
  6. Insure a true representation of risks: Consider forming a cybersecurity committee working directly with the CISO to ensure a clearer understanding of risks, as executive management may suppress or under-appreciate cybersecurity risks.
  7. Engage with third-party vendors: Partner with a security vendor to supplement internal security efforts and stay updated on the latest security technologies and best practices.
  8. Monitor and review regularly: Establish regular review processes to ensure the organization’s cybersecurity posture remains effective, including reporting from the CISO on threats and regular reviews of security policies, incident response plans, and metrics.

Clearly, the corporate board has a critical role to play in mitigating cybersecurity risk. By staying informed, assessing the organization’s risk posture, developing a comprehensive cybersecurity strategy, allocating adequate resources, fostering a culture of security, engaging with a third-party vendor, and monitoring and reviewing regularly, the board can help ensure that the company is taking the necessary steps to protect itself against cyber threats.

Manager is pushing DEFINE YOUR ENTERPRISE SECURITY POLICY on a visual interactive display. Business challenge metaphor and information technology concept for cybersecurity standards and planning.

More on Cybersecurity

Paul Bergman
Follow me