Cyber risk is “an enterprise-wide risk management issue, rather than a pure IT security issue” (see Deloitte, 2021), meaning that it is crucial for corporate boards to understand why and how cyber breaches affect their companies and what they can do to mitigate that risk. To ensure that corporate board members are prepared for this complex and changing environment, we have set out 10 key questions that each board member should ask themselves and/or the wider board.

1. What and where are your company’s technology-based assets?

By determining a company’s online and technology-based assets (including customer details, key financial data and/or trade secrets), the board can ensure that its cybersecurity plan properly protects all exposed assets.

2. What cyber insurance does the company benefit from and when was it last reviewed?

With cyberattacks increasingly inevitable for many organizations, the board needs to ensure that any risk that cannot be mitigated fully by the company be insured. Therefore, it is important for the board to be aware of what cyber insurance it benefits from and whether it is likely to cover the possible consequences of an attack. This analysis should include the business stakeholders, as well as the IT department, to ensure that the analysis is holistic.

3. How do your company’s employees and third-party contractors interact with the company’s cyber assets?

Understanding whether key business associates, stakeholders, contractors and others have access to the company’s network and data will help inform the company of its risk exposure. Cyber policies can be implemented to better protect the company’s technological assets. Relatedly, the company should, at the same time, review any business agreements and contracts for gaps in coverage. The company should ensure that it is sufficiently protected under any agreements that include indemnification language that could expose the company to liability.

4. What are the legal, regulatory and reputational consequences of a cyberattack on your company?

As the threat of a cyber event increases, so does the compliance landscape around data protection. It is important for the board to understand what the impact of a cyberattack would be – not only on its networks, data and potential business interruption – but on the legal, regulatory and reputational consequences as well. It may be advisable to bring in a speciality consultant to ensure that the full ramifications of an attack have been considered and understood (see World Economic Forum).

5. Who at the company owns the cybersecurity risk portfolio? Does the business have sufficient capacity to deal with cybersecurity issues?

The board should understand where the day-to-day responsibility for cyber threats sits within the business and should make sure it is clear whether the board itself or a specialized committee is responsible for oversight of those persons (see Deloitte). In some cases, companies will not have the internal capacity to address cybersecurity and should consider hiring a third-party expert (see Security).