Cybersecurity: How the Board Should Address Governance Challenges

What is cybersecurity?

As cyber risk emerged with the rise of the Internet and new technologies, cybersecurity was developed to protect companies’ data. According to the National Institute of Standards and Technology, cybersecurity risk “relates to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems.” Any threat to sensitive data can profoundly affect operations and the organization as a whole.

The treatment of companies’ data and information has become more and more sensitive as global connectivity expanded, resulting in increased risks for companies.

Cyber risks are not only confined to identified competitors, which could use leaked information for their own benefit. More importantly, these risks relate to local and international laws, customer and employee privacy issues, and even unlawful third parties looking for ransom. As a result, cybersecurity has become critical for the safety of companies at all levels.

The current challenges of cybersecurity

As cyber risk developed, tech employees started to report issues and undertake measures not fully understood by non-tech specialists. Initially, cybersecurity matters weren’t even brought to the board. Some board members grew more and more concerned with cyber risks but continued entrusting the tech officer with full responsibility for cybersecurity.

This is one of the current cybersecurity challenges for the board: How to build an excellent cybersecurity policy and stay on top of the matter without being a tech expert?

Other challenges are linked to the very nature of cyber risk. Technology is constantly and rapidly evolving, and so are cyber threats. Data breach risks have never been higher with the massive digitalization of data, AI tools, automation, and the boom of connected devices. Local and international regulations are fragmented, to say the least, resulting in extra costs and more significant risks for companies.

Remote work and undertrained employees can turn into entry points for cyber-attacks, including ransomware. Companies often have to rely on third parties to store and process their data and even to ensure cybersecurity.

Two emerging threats have sharpened the challenge considerably in recent years:

• AI-generated attacks. Cybercriminals now use generative AI to craft more convincing phishing campaigns, automate attack sequences, and probe defenses at scale. Attacks have moved from AI-assisted to fully AI-generated and managed a shift the board must understand.
• Supply chain vulnerabilities. Intrusions originating through third-party vendors have surged sharply, with cascading effects capable of halting operations across entire industries. One attack on a single supplier can ripple through hundreds of connected organizations.

Cybersecurity as a legal obligation for boards

The regulatory environment has shifted. Boards can no longer treat cybersecurity as a delegated IT matter.

In the United States, the SEC’s 2023 cybersecurity disclosure rules require public companies to disclose, in their annual reports, how the board oversees cybersecurity risk. Directors must demonstrate active involvement, not passive awareness.

In Europe, the NIS2 Directive, which entered application in October 2024, goes further. It places direct liability on management bodies for inadequate cybersecurity risk management. Board members are required to understand, approve, and oversee the organization’s cyber measures. Failure to comply can result in personal accountability for senior managers.

As CISA put it plainly: “security isn’t an IT function, but rather a culture and set of repeatable practices driven by the CEO and senior executives.”

Cyber literacy is now expected of board members the way financial literacy has always been. Not every director needs to be a security expert, but every director should be able to engage with cyber risk reporting, understand the implications of a breach, and hold management accountable for the organization’s cybersecurity program.

Who is responsible for managing cyber risk?

Cyber risks can no longer be ignored at the company’s highest level. Just like any other corporate matter, cybersecurity must be integrated into a responsibility and management chain. This means board members should be as involved in cybersecurity as tech officers. They just won’t be acting on the same issues.

The best options will be different from one company to another. Typically, an IT officer or a chief information security officer (CISO) takes care of cybersecurity from a technological and operational point of view. A CISO typically works alongside the IT team on all matters linked to data security. In general, the CISO brings a proactive attitude to cybersecurity, not just dealing with the consequences of security breaches. However, the CISO cannot be solely responsible for creating cybersecurity policies or for taking extreme preventive measures.

Directors have to step in. Depending on the company and how the board was designed, some companies might need to create a special committee to overlook cybersecurity risks and responsibilities. Other boards might only need coordination between the CISO and the cybersecurity specialist director. In any case, boards must become increasingly involved in cybersecurity strategies in order for companies to protect themselves from threats.

Apart from high-level strategies and big decisions, it is crucial to understand that everyone interacting with the company is de facto involved in cybersecurity. Employees in all departments, independent contractors, clients, users, every party represents a potential weakness for the company. A security model must include the organization on all levels.

Cybersecurity governance: a new challenge for the board

Despite the increasing need for directors to be involved in cybersecurity, this field is often out of their expertise. New technologies are constantly being introduced, making it difficult for board members to stay current.

The CISO or external cybersecurity consultants can help close this gap. Before deciding on the best strategy, board members need to build a stronger relationship with their CISO. Training, information, and regular reporting to the board are vital to tackling cybersecurity challenges.

One useful reframe: think of cyber risk the way you think about financial risk. Not every board member is an auditor, but every board member can read a balance sheet and ask probing questions. The same standard applies here.

Questions every board should be asking

Effective governance requires ongoing dialogue with management, not one annual briefing. The following questions serve as a practical starting point for boards at any stage of their cybersecurity oversight.

On risk exposure

• What are the organization’s most critical digital assets, and how are they protected?
• What is our current cyber risk profile, and how has it changed over the past year?
• How are third-party and supply chain risks being assessed?

On policy and preparedness

• Does the organization have a tested incident response plan? When was it last reviewed?
• Are employees at all levels receiving regular cybersecurity training?
• What is our exposure to shadow IT or unsanctioned digital tools?

On governance and reporting

• What metrics does management use to report cybersecurity performance?
• How are near-misses and failed breach attempts reported to the board?
• Is our current committee structure appropriate for the level of cyber risk we face?

Boards that build these questions into a regular oversight cadence are better placed to satisfy regulatory expectations, and to catch problems before they become crises.

In some cases, the right choice might be tackling cybersecurity challenges through committees. This can be done by delegating cyber risk governance to the audit committee. On the one hand, the committee is usually already in place, members are used to working together, and meetings are already built into the board calendar. On the other hand, members of the audit committee are not necessarily cybersecurity governance experts. The audit committee’s workload can be substantial, and there is a risk that cybersecurity might get overlooked.

Some companies are choosing other existing committees: governance committees, risk committees, and even technology subcommittees. The pros and cons are broadly similar. Depending on which members sit on these committees, one of them might be the best fit.

Another solution is to set up a dedicated cybersecurity committee. This option is typically best for larger companies, particularly those directly involved in tech or AI. It may require bringing in new members or reshuffling nominations. But if the company’s risk profile warrants it, a dedicated committee signals a long-term, proactive commitment to cybersecurity governance.

Governance responsibilities do not stop at prevention. When a breach occurs, the board has a specific and defined role.

Confirm that a tested response plan exists. Escalation thresholds and communication protocols for regulators, customers, and employees should be documented and rehearsed.

The board must be briefed promptly and consistently. Management cannot respond to a crisis effectively if the board is kept at arm’s length.

Commission an independent review of what failed and why. Those findings should feed back into the cybersecurity strategy, not sit in a report that no one reads again.

One frequently overlooked detail: how board communications are handled during a crisis matters as much as the crisis itself. Sensitive deliberations sent over standard email can compound the original breach. A dedicated board portal ensures that directors can exchange documents, discuss strategy, and coordinate decisions on encrypted, access-controlled infrastructure, with a full audit trail that regulators may request. The DiliTrust Board Portal holds ISO 27001 and SOC 2 Type II certifications and is hosted on sovereign servers outside the scope of the US CLOUD Act, with data stored locally in Europe, the Middle East, and Canada.