Crisis Management

The Board has a Bigger Role to Play in Driving Organizational Cyber Resilience

by Joe Nocera and Maria Moats

Globally, one in four companies have suffered data breaches costing them upwards of $10 million. Despite growing organizational awareness and resilience in the face of cyber threats, an integral component of mitigating cyber risks involves keeping the board informed and understanding of their role as a key stakeholder.

©Kiwis/iStock/Getty Images Plus

It should come as no surprise that as the cyber threat landscape continues to evolve alongside the adoption and integration of new technologies, so do the risks that companies face in keeping their organizations secure. This is a trend we’ve seen for some time now, and companies are taking note: more than 70% of respondents to PwC’s Global Digital Trust Insights survey observed improvements in cybersecurity over the past year. This is certainly a step in the right direction as threats continue to escalate. 

In today’s environment, you’re far more likely to have been impacted by a breach than not. In fact, one in four companies (27%) globally have suffered a data breach costing $1- 20 million or more in the past three years. And despite their heightened awareness and sharper focus on cybersecurity, only 40% of senior executives say they have fully mitigated the risks their bold moves incurred. In other words, there’s more work to be done.  

An integral part of how to best navigate this escalating risk landscape is teamwork. This requires CISOs and the rest of the C-suite working together as a cohesive unit to build up cyber defenses and resilience. It requires the C-suite keeping the board informed and understanding their role as a key stakeholder. For board members, the task is keeping up with the latest key risks their organization faces. The best boards understand how those risks are managed, what questions they should be asking, and how best to provide cybersecurity oversight for their organization.  

Here are some tips for deepening the board’s understanding of the organization’s cyber posture and positioning them to help build up the business’ cyber resilience: 

  1. Understand the cyber risk management program 

A majority (59%) of directors say their board is not very effective in understanding the drivers and impacts of cyber risks on their organization. And yet, according to PwC’s Annual Corporate Directors Survey, more than 90% of directors are comfortable that their company is staying current on cyber defenses, has identified its most valuable digital assets, and has done enough testing of its resistance to attacks. This inflated boardroom confidence, coupled with the admission that they may not fully understand all the risks their company faces, is a risk unto itself. This could lead to the board paying insufficient attention to their cybersecurity risk management program, leaving their organization more vulnerable.  

Boards should be asking: 

  • Who or what are the main threats we need to be aware of? What motivates them? How are we responding to these threats?  
  • Do we have a policy for when we [the board] are notified of a breach or other cyber-attack? Do we understand and approve of this policy? 
  • Have we reviewed and tested management’s cyber response plan? 

Boards need to be able to identify and understand the main threat actors that impact their organization, what motivates them, and what the business implications are if their organization is targeted. These answers can help boards understand potential vulnerabilities at the company, and in turn better understand the key cyber risks that can then become a part of the organization’s enterprise risk management program. 

  1. Ask for transparency 

As a key stakeholder for the C-suite, boards can become stewards of transparency around cybersecurity. Directors, customers, investors and regulators alike are hungry for transparency and are demanding more—and better—information, particularly in the form of disclosures around cyber incidents and policies and practices.  

Here’s how boards can help foster more transparency: 

  • Ask how the CFO, CISO, CIO and other executives are getting ready for required cyber disclosures that are almost certain to come soon.  
  • Discuss how current cyber risk management practices and disclosures align with the proposed SEC rules, and if there is a plan to address those gaps. 
  • Ask the CISO to speak your language – and be willing to learn theirs. Request to observe or take part in any tabletop exercises to better understand management's actions/decisions during a cyber event, and the organization’s overall resilience plan. 
  • Hold CISO one-on-one private sessions to build a stronger relationship and ask questions about what’s keeping them up at night – so they can take action.  

The SEC is seeking greater information to help stakeholders understand how a company manages its cyber risk exposures. The C-suite understands the significant role transparency plays in building trust with stakeholders. In fact, 80% of senior executives agree that mandatory disclosure of cyber incidents, with comparable and consistent formats, is necessary for building confidence and trust.  

  1. Reassess the board’s oversight approach  

Periodically reassessing the board’s oversight approach to cybersecurity can help to enhance effectiveness. Every organization is different. Some boards task the audit or risk committee with overseeing cyber risk, while others let it fall to the full board. In other circumstances, a new committee is created to oversee the organization’s cyber posture. No matter the approach your board takes, it’s important to regularly assess how it’s working, if any changes need to be made to enhance effectiveness, and to determine whether or not directors have the expertise required to provide meaningful oversight. 

Enter: Upskilling & education: Assessing whether to add cyber expertise to your board is important,  but making sure that the entire board has access to educational resources and upskilling opportunities to deepen their understanding of the ever-changing cybersecurity risks facing your organization is critical. Leverage outside experts to help the board or one of its committees to better understand and address cyber risk. 

Directors can improve their cybersecurity knowledge through: 

  • Participating in regular discussions with management around the biggest threats facing the company, third-party risk migration plans, actively observing tabletop exercises, etc. 
  • Attending cyber-risk conferences and/or external training to stay abreast of current protocols and events from the director's chair. 
  • Requesting presentations from leading outside experts and/or law enforcement to better understand the latest trends 
  • Soliciting peer perspectives — connecting with director counterparts at other organizations can help broaden the board’s perspective  

Make no mistake: the threat landscape is evolving—and fast. Although 40% of business leaders surveyed in our recent PwC Pulse: Managing business risks in 2022 ranked cybersecurity as the number one serious risk facing their companies, a heightened awareness of these risks isn’t enough to mitigate them. The board and the C-suite both have important roles to play in navigating this escalating threat environment. Their collective effectiveness depends on how much they’re willing to invest and collaborate. It may be difficult to predict precisely when or what the next threat will be, but with deeper understanding of cyber risks, education, transparency and frequent reassessment of the board’s cybersecurity oversight approach, boards and management teams can build up their organization’s resilience together.  

Joe Nocera is the Partner Leader, Cyber Risk & Regulatory Marketing at PwC and Maria Moats is the Governance Insights Center Leader at PwC.