Building Effective Cybersecurity Governance – Security

To print this article, all you need to do is be registered or log in to

Evolving Board Oversight and Reporting to Respond to Growing Stakeholder Cyber ​​Risk Monitoring

Digitalization has changed the way businesses operate and has given rise to a rapidly evolving set of risks that businesses face and need to prepare for – cybersecurity risks. The increasing prevalence of cyberattacks, including ransomware, coupled with the decreasing availability of cyberinsurance, are increasingly exposing organizations to the often significant impacts of a cybersecurity incident. There is, of course, a short-term financial cost – research from IBM1 finds the average total cost of a ransomware breach in 2022 to be $4.54 million – but, from a reputational perspective, the impact of an incident may be more lasting.

Recognizing how companies are increasingly exposed to cybersecurity, governments, regulators and investors are increasing pressure on organizations to improve their cybersecurity measures, increase transparency around disclosures and enforce put in place governance and management structures that demonstrate that cybersecurity is a priority at the highest levels around the world. organization.

Ensuring that oversight structures are in place at the board level is a key element of e-governance. As a significant risk affecting businesses, boards are increasingly held accountable for ensuring that the management team takes appropriate action to mitigate the risk of cybersecurity attack, and also for ensure that the organization reacts appropriately in the event of an incident. Often boards of directors have little or no experience in this area, and although the dynamic nature of cyber risk means that board members are not expected to be cyber experts – although there is merit in having expertise on the board – they are supposed to be able to challenge management on this subject and inform shareholders about the measures put in place to mitigate the impact of cybersecurity incidents.

For many companies, the Chief Information Security Officer (CISO) is the executive responsible for cyber risk. With investors and regulators pushing for greater board-level oversight, the CISO will need to communicate cyber risks and metrics in terms that resonate with the board, and governance structures will need to prioritize engagement with the CISO on cyber risks.

Cybersecurity is also increasingly coming under the scrutiny of companies by investors and proxy advisors. Our research indicates that investors now view cybersecurity as a top priority – with cyberattacks consistently cited as the most important concern or area of ​​risk for investors. Alongside this, the world’s leading asset managers are providing more detail on what they expect in terms of disclosure – including a desire for details on the structures in place to manage cyber risk, but also the number and size extent of cyber incidents affecting a company.

How companies communicate their cyber risk governance to investors is therefore increasingly important. Announcing the SEC’s proposed cybersecurity disclosure rules, SEC Chairman Gary Gensler said, “I believe companies and investors would benefit if such disclosures were required in a consistent, comparable and useful for decision making. This highlights a lack of transparency around cyber risks and incident disclosure; and a clear indicator that regulation only goes one way.

In the assessment of the regulatory environment; review of increased attention from the investment community; and given the benefits of greater transparency, we believe it can be beneficial for companies to approach cybersecurity in a manner similar to how the Task Force on Climate-Related Financial Disclosures (TCFD ) addresses climate risk. This is built around four pillars and will enable corporate boards and investors to recognize the risks posed by cybersecurity in a more holistic manner covering i) governance; ii) Strategy; iii) risk management; iv) Parameters and targets.

Ultimately, a combination of regulation and a requirement for greater transparency will mean a sea change in disclosure for businesses. However, there is likely to be a clear benefit – financial and reputational – for companies that are early adopters of a more proactive approach to governance and oversight of cyber risk and disclosure.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


Helen D. Jessen