As board directors prepare for their upcoming quarterly meetings, cybersecurity should be a priority on their agendas. The recent surge in cyber threats, including ransomware, bot attacks, and assaults on critical infrastructure, underscores the urgency. These cyberattacks have not only become more frequent but also more sophisticated, causing financial and reputational damage globally.

Cybersecurity is increasingly recognized as a critical board-level issue. With the financial and reputational risks associated with cyber incidents, and increasing regulatory demands from entities like the U.S. Securities and Exchange Commission, boards are urged to step up their oversight and governance practices.

Here are essential cybersecurity questions board members should address to ensure robust governance and risk management:

What does our board reporting on cybersecurity entail?

Understanding the organization’s risk profile is crucial for strategic planning. Boards should receive regular updates on the cybersecurity strategy, ongoing risk mitigation efforts, current threats, responses, and an evaluation of the effectiveness of these measures. It’s important to assess whether the reporting frequency and detail are sufficient for the board to grasp the company’s cybersecurity posture fully.

How are we educating our staff about cybersecurity?

Human error is a major vulnerability, causing an estimated 88% of breaches according to a Stanford University study. Enhancing employee training to recognize and avoid cyber threats is vital. Additionally, boards should evaluate their own understanding of cybersecurity to make informed decisions. This might involve formal training sessions led by the Chief Information Security Officer (CISO) or other experts.

Are we prepared with a cybersecurity incident simulation?

Just as fire drills prepare us for actual emergencies, cybersecurity simulations can ensure readiness for real incidents. Boards should verify that the company has clear, practiced protocols for responding to cybersecurity breaches. These simulations should test the organization’s incident response plans thoroughly.

Should we include cyber expertise directly on our board?

While not mandatory, adding a cybersecurity or technology expert to the board can provide valuable insights and guidance tailored to the organization’s specific risks. This could be a former CISO, a cybersecurity professional, or the company’s current CISO.

Are we allocating sufficient resources to cybersecurity?

Directors need to consider whether current investments in cybersecurity are adequate to protect the organization and comply with regulatory requirements. Understanding the potential financial impacts and regulatory penalties for inadequate cybersecurity practices or failure to report incidents is also crucial.

Boards play a critical role in ensuring that their organizations are not only prepared to handle cyber threats but also positioned to thrive in a secure digital landscape. The next board meeting is an excellent opportunity to initiate or advance these discussions, setting the stage for a secure and prosperous future for the business.