cybersecurity board of directors governance

Cybersecurity Governance for Board of Directors

Strengthening your Board's Cybersecurity Foundations for the Inevitable Attack

As a company Director the probability of a successful and high impact cyber-attack on your organisation is very high and continually increasing. This is further exacerbated by the increasing number of interconnected devices (IoT), applications, the volume and velocity of data being created and the incorporation of AI in cyber-attacks.


This article looks at the current and future cybersecurity foundations required by a Board of Directors in discharging their duties.

The evolving cybersecurity landscape necessitates that Boards of Directors need to ensure that they have the correct foundations to be able to address their cybersecurity strategy and to mitigate the associated risks. This includes cybersecurity being sponsored at the board level.


Cybersecurity breaches are increasing and so is the attention needed to be paid by company boards to this increasing risk and impact to operations and people.


Governments and investors are also increasing their attention on companies’ cybersecurity expectations and obligations given their potentially significant financial and reputational damage.


Cybersecurity is a strategic issue requiring board and risk oversight inclusive of the preparedness to the various types of cybersecurity events.


Within the Directors remit is the obligation to protect the organisation’s assets and this also includes proprietary and confidential data assets, reputation and its associated goodwill. To achieve these the directors are responsible for the oversight of management systems that exist for the identification, mitigation and management of the organisation’s risks.

Cybersecurity risks vary depending on the organization and the industry it operates in and its Directors require to be knowledgeable in the type and nature of the cybersecurity risks they specifically face.


The Directors and any board committees require to have an understanding and be responsible for policies and supporting management systems implemented to manage and respond to cybersecurity events.


Boards can enhance the discharging of their duties relating to cybersecurity by:

  • Becoming intimate with the legal ramifications of a cybersecurity scenario;

  • Engaging in communications with cybersecurity professionals during board meetings (including outside of board meetings) as required or regularly scheduled to discuss in their risk management meetings;

  • Taking an enterprise wide management approach that goes beyond the IT department and implements an enterprise wide risk management framework for cybersecurity;

  • Cybersecurity risk management plans need to identify which risks are to be either accepted, avoided or mitigated:


To strengthen the Board’s foundation on cybersecurity risk and for them to be in a position to take a proactive approach Directors need to:

  • Be provided and understand the information on the organisation’s IT strategy and assets and how they relate to cybersecurity risks. In addition, a reporting frequency to the board needs to be agreed that includes risks, incidents, performance and what metrics are to be reported on, including benchmarking;

  • Scheduled cybersecurity risk topic in the board meeting’s agenda that will result in elevating the importance of cybersecurity with the management team;

  • Skill matrix of the Board to also include cybersecurity experience and knowledge;

  • Identify and if required form a cybersecurity committee. The board will need to decide if oversight of cybersecurity risks are to be the responsibility of the Board or a committee;

  • Board regularly review management’s cybersecurity risk assessments and their efforts in monitoring and mitigating these risks. Assessments should include:

  • Alignment to organisation’s risk appetite;

  • The type and degree of vulnerabilities;

  • Sensitive areas of the organization;

  • Likelihood of risk occurring;

  • Scenario impacts;

  • Cybersecurity strategy review;

  • Review of cybersecurity policies and practices:

  • Review if a cybersecurity insurance policy is required and if so, what its coverage should contain based on a cost benefit analysis of a cybersecurity event occurring (which is only a matter of time). Any insurance policy coverage needs to be carefully reviewed to ensure the organisation has coverage for specific events and their associated damages. It needs to be noted an insurer will likely place additional costs on an organization seeking cybersecurity insurance in the areas of audits, documentation, prevention, detection, analytics and reporting mechanisms. The board needs to be aware of the impacts, repercussions and the associated costs of a cybersecurity breach that can include lost income, disruption to operations, impact of operational interruptions, activating business continuity costs, fines/penalties, legal costs of claims brought against the organization, damages needing to be paid out, public relations costs, costs from data loss impacts, investigative costs and any extortion monies that may be paid;

  • Ensure the cybersecurity function in the organization is resourced accordingly and the board is briefed on the delegated responsibilities, how they are organized, their reporting lines and how these permeate throughout the organization from the board;

  • Ensure defined management responsibilities in the event of a cybersecurity event that is inclusive of all the internal and external stakeholders and their relationship to a public relations plan. These need to be reviewed and tested on a regular basis. Management’s actions to a cybersecurity event will obviously include a designated response team that will have a clearly defined and understood cybersecurity response plan to follow across the different types of cybersecurity event scenarios;


The probability of a cybersecurity incident occurring in the current environment is continually increasing based on the number of interconnected devices (IoT), the vast volumes of data being created and the application of AI in hacking techniques. These all expose the board and the organization to an ever-increasing incident occurring. I hope this article has served in furthering your knowledge as a director to more effectively discharge your duties to the organization and its shareholders.

Arthur Dimitropoulos is an Executive Director at Rundas Capital, providing advisory and consulting services focussed on improving corporate performance and providing NED services.


Contact us


Email & Phone:


Level 28, 303 Collins Street

Melbourne, VIC 3000

Success! Message received.