Something we keep coming across in our board reviews is cyber risk – and how a board can exercise oversight of this fast-moving and difficult-to-understand critical threat. Most directors worry about the organisation’s exposure, especially when they sense it’s not a matter of “if” but “when”. But few of them feel confident that their technical knowledge is sufficient to test what they are being told. Are they merely forming a half-baked judgement on the adequacy of the mitigation approach or the organisation’s ability to respond to a major breach?
It’s one of those areas where directors can’t be expected to become experts. And finding someone who’s already expert, but has the right profile to become a non-executive, will always be tricky – especially with such a limited pool to dip into. In fact, increasing numbers of boards have stopped looking for cyber-NEDs and instead are appointing retained experts as their advisors. But of course even those need to be used wisely by a board. So, what’s to be done?
At a minimum, the Board needs to have a clear framework of questions to ask – one based on a good understanding of the full breadth of the risk and required response. Here we can touch only lightly on this complex topic. But we have aimed to give a few pointers on good practice to help you cover the ground, and avoid the pitfalls.