The Board's Role in Cyber Incident Response

This tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, provides a strategic path for boards in overseeing and strengthening an organization’s incident response (IR) capabilities over four core pillars. 

Why Cyber Incident Response Matters 

In an ever-expanding and hyper-connected digital landscape, cybersecurity incidents are not only likely—they are inevitable. For publicly traded companies and critical infrastructure operators, the impacts of ransomware, data theft, insider threats, cloud service failures, or artificial intelligence (AI) driven cyberattacks extend beyond IT—they touch revenue, brand, compliance, and trust from investors and consumers.  

Effective cyber-IR is the cornerstone of organizational resiliency and is based on four core pillars: governance, preparedness, response, and recovery.

Governance and Oversight: The Role of the Board

Governance begins with clearly assigned ownership of the IR program, typically under a senior executive (e.g., CISO or chief information officer) with cross-functional authority.

The board should

• Review IR plans annually or when they change materially.
• Receive briefings on regulatory obligations, reporting requirements, and potential liabilities from legal counsel.
• Validate that third-party risks are being effectively managed.
• Be informed of emerging threats, including generative AI misuse and autonomous malware.

Preparedness: Building the Foundation Before the Crisis

Preparedness is the most controllable phase of IR. It includes

• Clear IR Playbooks: Scenario-based guides for ransomware, cloud compromise, insider misuse, AI manipulation, and third-party breaches.
• Asset and Data Inventory: Knowing where sensitive data resides (e.g., multi-cloud, on-premises, and operational technology environments) as well as any third-party dependencies is critical to containment.
• Communications Protocols: Pre-drafted internal/external holding statements, social media monitoring, and spokesperson readiness
• Tabletop Exercises and Simulations: Tabletop exercises that occur regularly with realistic risks and threats, such as state-sponsored threat actors, cloud security, third-party and supply chains, as well as emergent AI-generated attacks.
  • Ideally, tabletop exercise scenarios should be relevant to the organization’s risk profile and aligned to the types of incidents the organization may face.
  • These scenarios help uncover operational and communication gaps, especially in federated IT and hybrid cloud environments.
• IR Service Readiness: An IR plan will also include pre-negotiated retainers for response services such as DFIR services, breach counsel, dark web intelligence services, and ransom negotiators that can enable quick activation in the event of an incident.

Response and Containment: Acting Under Pressure 

When a cyber incident strikes, time is the most precious resource. Boards should understand the maturity and agility of their organization’s IR program: 

• Rapid Triage: understanding scope, affected assets, and potential data exposure
• IR Service Activation: leveraging and coordinating with response services on retainer
• Containment and Eradication: segmenting affected systems, disabling compromised accounts, and isolating infected workloads
• Legal Coordination: securing attorney-client privilege, notifying regulators, and engaging with law enforcement
• Insurance Coordination: understanding impact of cyber threats and options available with current cyber insurance representatives
• Business and IT Alignment: prioritizing systems that support revenue, customers, and operations
• Third-Party Notification: coordinated response and disclosure involving cloud providers, vendors, or integrators

Contact and Communication Obligations 

In the wake of a significant incident, multiple stakeholders must be contacted promptly, often within legally mandated timeframes: 

• Regulators: Depending on the scope and jurisdiction, state, federal, and other national entities must be notified. 
• Law Enforcement: FBI Cyber Division, Cybersecurity and Infrastructure Security Agency (CISA), local authorities, and if applicable, Interpol or Europol 
• Cyber Insurance Carriers: Immediate notice is usually required to ensure coverage 
• Cloud and Technology Providers: Providers such as Amazon Web Services, Microsoft, Google Cloud, and key software service vendors must be engaged to identify shared responsibility actions. 
• Customers and Clients: Depending on the data affected, organizations may need to notify individuals, businesses, or partners—often within 72 hours. 
• Investors and Analysts: In the US, public companies must assess materiality and make appropriate 8-K or equivalent disclosures within four days of a determination of materiality. 
• Media and the Public: A designated spokesperson should manage communications to preserve trust and reduce misinformation. 
• Banks, Credit Bureaus, and Financial Services Partners: Boards should ensure proactive engagement and relationship building with these stakeholders. 
  • Pre-built templates, holding statements, legal review, and designated contacts for each stakeholder group should be part of the IR plan.  
  • It is important to remember that information that is known frequently changes during an incident. Boards should ensure they are properly informed and communicate the necessary information as it becomes available. 

Recovery and Learning: Emerging Stronger

Cyber resilience is not just about bouncing back—it is about bouncing forward. Post-incident recovery should go beyond technical restoration. Boards can assess that the outcomes include 

• restoration of critical functions (e.g., finance, operations, customer access) before full infrastructure rebuild
• transparent and timely stakeholder communications
• root cause analysis and process review
• updates to playbooks, policies, and employee training based on findings
• changes in architecture or tooling, particularly with AI detection and cloud posture management, if needed
  
  
  

Questions Boards Can Ask About IR and Sample Responses

• Who owns our cyber-IR program?
  • Sample Response: The program is led by the CISO with joint oversight from legal and risk. A formal IR steering committee meets quarterly.
• Have we conducted realistic tabletop exercises in the last 12 months?
  • Sample Response: Yes, our most recent tabletop simulation involved a ransomware attack that impacted cloud infrastructure and required multi-party coordination. A separate scenario focused on the misuse of generative AI to craft convincing spear-phishing emails.
• How mature are our detection and response capabilities, and does this maturity minimize business impacts of an incident within agreed-upon thresholds?
  • Sample Response: Our average detection time is under two hours, and containment playbooks target a 24-hour resolution window for our most critical assets.
• Do we have a board-level escalation process?
  • Sample Response: Yes, the IR plan includes clear thresholds for when and how to brief the board depending on financial, legal, or reputational impact.
• What are our disclosure obligations and procedures for regulators, customers, and suppliers?
  • Sample Response: We track global obligations via legal counsel, including the US Securities and Exchange Commission (SEC) rules on material cyber incidents, state breach notification laws, and GDPR obligations.
• Are we aligned with our cyber-insurance policy coverage?
  • Sample Response: Our IR plan aligns with our cyber-insurance policy, including the use of approved vendors and timely notification requirements.
• Are our backups protected and tested?
  • Sample Response: Backups are encrypted and stored in isolated cloud environments with quarterly restoration testing. We also conduct readiness testing of backup integrity and immutability.
• Can we quantify the business impact of cyber scenarios?
  • Sample Response: Yes, we model potential losses for scenarios such as disruption of cloud services, ransomware, domain takeover, and AI data poisoning using impact matrices and dollar estimates.
• What lessons have we learned from recent incidents? What lessons were learned from other incidents involving companies of similar size or within our industry?
  • Sample Response: After a 2024 phishing incident in human resources, we added conditional access and changed onboarding procedures for all cloud software services (SaaS). We also expanded email security filters to detect AI-generated content.
• How are we preparing our IR plans for emerging threats like AI-driven cyberattacks? How are these scenarios different? Do they create additional exposure and do they require new tools?
  • Sample Response: We have incorporated AI-related threats into our tabletop exercises, including scenarios involving deepfake phishing and malicious AI-generated code. Our detection tools are being updated to monitor for generative AI misuse, and we are assessing AI-related third-party risks. Governance includes internal guidelines for responsible AI use to limit exposures.

Return: Toolkit For Action