Something we keep coming across in our board reviews is cyber risk – and how a board can exercise oversight of this fast-moving and difficult-to-understand critical threat.  Most directors worry about the organisation’s exposure, especially when they sense it’s not a matter of “if” but “when”.  But few of them feel confident that their technical knowledge is sufficient to test what they are being told.  Are they merely forming a half-baked judgement on the adequacy of the mitigation approach or the organisation’s ability to respond to a major breach?

It’s one of those areas where directors can’t be expected to become experts.  And finding someone who’s already expert, but has the right profile to become a non-executive, will always be tricky – especially with such a limited pool to dip into.  In fact, increasing numbers of boards have stopped looking for cyber-NEDs and instead are appointing retained experts as their advisors.  But of course even those need to be used wisely by a board.  So, what’s to be done?

At a minimum, the Board needs to have a clear framework of questions to ask – one based on a good understanding of the full breadth of the risk and required response.  Here we can touch only lightly on this complex topic.  But we have aimed to give a few pointers on good practice to help you cover the ground, and avoid the pitfalls.