Boards have a statutory duty to have proper risk oversight. Cyber risk constitutes by now a critical, potentially material, business risk. However, most Boards are ill-equipped to deal with cyber risks. They consider cyber as too technical, they merely approve resources and delegate the risk.
For traditional business risks, there is an established practice of how to report evidence and an accepted distribution of responsibility/delegation. Regarding cyber risks, there is no current established practice. CISOs struggle to measure the effectiveness of their cybersecurity program and provide reasonable assurance that the residual cyber risk stays below the company risk appetite. Many CISOs do not speak “Board language” and are not invited to report.
We offer two reports below.
The first document is intended for Chief Information Security Officers (CISOs). It describes how they can best monitor, measure and report cyber risks to their Board of Directors.
The second document is intended for the Boards themselves. It is a supplement to the first document.