Survey Analysis: Cybersecurity Oversight

Discover findings from the NACD 2025 Private Company Board Practices and Oversight Survey related to the board’s oversight of cybersecurity. The data was gathered from directors and others who serve the boards of privately held companies. Access the full survey here.

Key Insights

Nearly three-quarters (73%) of private company respondents state that their board’s understanding of cybersecurity today is stronger than it was two years ago. However, only 49 percent believe their board’s understanding is strong enough to provide effective oversight, highlighting that boards need to further strengthen their cybersecurity oversight capabilities.

To what extent do you agree or disagree with the following statements?

2025 NACD Private Company Board Practices and Oversight Survey, n=86 

Private company directors have taken steps to improve their education and awareness of cyber risk. Compared to research from 2022, this year’s data show marked increases in directors pursuing education and information from a range of sources. Directors are now engaging in more individual education (67% compared to 41% in 2022). Meanwhile, respondent boards are increasingly leveraging external advisors to understand the cyber-risk environment (52% compared to 44% in 2022), and communicating with management to obtain the cyber-risk information they need (65% compared to 51% in 2022).

Cyber-Risk Oversight Practices with Increased Adoption
(2022 compared to 2025)

Q: Which of the following cyber-risk oversight practices have you or your board conducted over the past 12
months to gain a better understanding of cyber risks facing the organization? (Please select all that apply.)

Sources: 2025 NACD Private Company Board Practices and Oversight Survey, n=86
2022 NACD Private Company Board Practices and Oversight Survey, p.6, n=122

However, other areas of private company cyber-risk oversight practices have largely remained the same compared to three years ago and in some cases have declined. Respondents state that their boards continue to prioritize practices including reviewing the most significant cyber threats facing the company (65% compared to 65% in 2022) and assessing risks from third-party vendors (53% compared to 54% in 2022).

However, fewer boards appear to be attending to operational governance practices, including the assignment of cyber-risk roles and responsibilities among committees (32% compared to 35% in 2022) and/or the full board (18% compared to 23% in 2022) or reviewing the organization’s cyberbreach response plan (56% compared to 60% in 2022). Improvements to director education and information access may account for the perception of improvement regarding the board’s cybersecurity oversight responsibilities, while the decline in key operational practices may account for lower confidence levels when it comes to the board’s overall preparedness for a cyber incident.

Cyber-Risk Oversight Practices That Have Declined or Remained the Same
(2022 compared to 2025)

Q: Which of the following cyber-risk oversight practices has your board performed over the past 12 months?
(Please select all that apply.) 

Sources: 2025 NACD Private Company Board Practices and Oversight Survey, n=78
2022 NACD Private Company Board Practices and Oversight Survey, p.6, n=122

Why It Matters

The data show improvements in individual-director education and understanding; it similarly shows the areas for improvement for board’s governance processes and structures.

Director expertise and governance processes and structures work in tandem to enable effective board oversight. If boards lose sight of or focus on either side of this equation, gaps in governance can arise. This is fundamental to why cybersecurity is such a challenge to oversee, as its speed and evolution can often outstrip the capacity of traditional governance processes.

However, the need for both education and processes are particularly important in times of a cyber crisis. With ransomware, supply chain attacks, and insider threat attacks increasing, the likelihood of a cyber-crisis event occurring has never been higher. As cyber threats continue to test the preparedness and resiliency of companies, it is critical for boards and their management teams to have clear roles, responsibilities, lines of communication, and engagement plans in place that allow the board to activate its expertise on short notice and in a structured way.

What Boards Should Do

Private company boards should look for opportunities to institute formalized governance processes and structures in their boardrooms. Assigning responsibilities among the full board and committees for cyber-risk oversight provides a mechanism for boards to avoid gaps in the cyber-risk governance. Another structural solution may be in establishing a standing committee focused on technology and cyber-risk oversight to create additional space for important cybersecurity discussions not afforded in full-board meetings.

Boards pursuing director education while failing to make headway regarding other cybersecurity governance practices may consider this an indicator that recruiting a director with cybersecurity expertise could be beneficial to their board. This added expertise can be useful for assessing the company’s cybersecurity effectiveness as well as the board’s cyber-risk oversight.

Finally, for private company boards looking to improve their cyber-incident response, participating in and reviewing a test of the company’s response plan can be a helpful practice. Understanding how the plan may operate in practice can help boards act more quickly, more efficiently, and with better judgment when time and information are limited.

Explore more related data below, or return to the 2025 NACD Private Company Board Practices and Oversight Survey.