Survey Analysis: Cybersecurity Oversight

Discover findings from NACD’s 2025 Public Company Board Practices and Oversight Survey related to the board’s oversight of Cybersecurity at their organizations. The data was gathered from directors and others who serve the boards of publicly traded companies. Access the full survey here.

Key Insights

The state of board cybersecurity oversight in 2025 is mixed. Overall, respondents are more confident in their board’s cybersecurity oversight capabilities and in their own capabilities. This aligns with broader adoption of key oversight practices and greater participation in cyber-risk education by individual directors. For example, 77 percent of respondents said that their board has “discussed material and financial implications of a cybersecurity incident,” an increase of 25 percentage points compared to the findings of the 2022 NACD survey, while 72 percent of respondents indicated they have attended individual director education activities on cyber risks, compared to less than half (49%) in 2022.

Practices conducted over the past 12 months

Participated in individual-director educational activities to learn
more about cyber-related issues

Discussed the material, financial implications of a cybersecurity incident

Top Q: Which of the following practices have you or your board conducted over the past 12 months to
gain a better understanding of cyber-risks facing the organization? (Please select all that apply.)

Bottom Q: Which of the following cyber-risk oversight practices has the board performed over the past 12
months in preparation for a potential cybersecurity incident? (Please select all that apply.)

Source: 2025 NACD Public Company Board Practices and Oversight Survey, n=156
Source: 2022 NACD Public Company Board Practices and Oversight Survey (p.6), n=315

This expanding confidence and overall increase in cyber knowledge is reflected in a decrease in the percentage of respondents believing their board would benefit by recruiting a director with cyber expertise. Only 27 percent of respondents agreed that their board would benefit from recruiting a director with cybersecurity expertise, in stark contrast to the 2022 survey, where 42 percent of respondents agreed.

However, in an ever-changing threat environment, directors acknowledge the need for improvements in key areas, such as the quality of reporting and metrics (47% indicate improvement is very or extremely important), the delineation of specific roles and responsibilities for specific committees (39%), and director access to quality education and outside expertise (38%).

How important is it that your board improves in the following areas related to cyber-risk oversight? 

2025 NACD Public Company Board Practices and Oversight Survey, n=158-159 

Survey data suggest that a few practices are key to improving boards’ understanding of cybersecurity. First is the proactive pursuit of information on the topic. A majority of the respondents who agreed that their board’s understanding of cybersecurity has improved had taken a number of steps, including: recently “communicated with management about the types of cyber-risk information their board needs” (72%), “leveraged external advisors . . . to understand the risk environment” (64%), or “leveraged internal advisors . . . for in-depth briefings” on cybersecurity topics (60%). Those that had not seen improvements were less likely to have taken this kind of initiative.

A majority of respondents noted that their board’s understanding of cybersecurity has improved

Q: To what extent do you agree or disagree with the following statements?

Note: My board's understanding of cybersecurity today has significantly improved, compared to two years ago. “Improved” group includes “Strongly agree” and “Somewhat agree”.  “No improvement” group includes “Strongly disagree”,  “Somewhat disagree” and “Neither agreenor disagree”

2025 NACD Public Company Board Practices and Oversight Survey, n=160 

Which cyber-risk oversight practices have boards conducted over the past 12 months?

Comparing respondents that have noted improvements in their board’s
understanding of cybersecurity to those with no improvement  

Q: Which of the following practices have you or your board conducted over the past 12 months to gain a better understanding of cyber-risks facing the organization?  (Please select all that apply.) 

Note:  “Improved” group includes respondents who noted “Strongly agree” and “Somewhat agree” with the statement: My board's understanding of cybersecurity today has significantly improved, compared to two years ago. The “No improvement” group includes “Strongly disagree”,  “Somewhat disagree,” and “Neither agree nor disagree.” 

2025 NACD Public Company Board Practices and Oversight Survey, Agree: n=124, Do not agree, n=34 

A second key area is taking steps to become familiar with the company’s cybersecurity processes. Directors were more likely to have reviewed their company’s current approach to protecting critical data assets in the past year (82% of respondents that have seen improvement to board cybersecurity understanding had done so, compared to 63% of those not seeing improvement). They were also more likely to have reviewed the company’s cyber response plan (74% vs. 60%) or even to have participated in a test of this response plan (36% vs. 23%).

Which cyber-risk oversight practices have boards conducted over the past 12 months?

Comparing respondents that have noted improvements in their board’s
understanding of cybersecurity to those with no improvement 

Finally, those boards experiencing improvements to their understanding of cybersecurity were much more likely to have looked into the implications or potential consequences of a cyber breech. Key practices included discussion of material financial implications of a cybersecurity incident (79% vs. 60%), and (as noted above) adoption of this practice has increased over the years. Additionally, improvers were more likely to have reviewed the scope of the organization’s cyber insurance coverage (75% vs. 46%) or to have discussed the legal implications of a cybersecurity event (62% vs. 39%).

Which cyber-risk oversight practices have boards conducted over the past 12 months? 

Comparing respondents that have noted improvements in their board’s
understanding of cybersecurity to those with no improvement

Q: Which of the following cyber-risk oversight practices has the board performed over the past 12 months in preparation for a potential cybersecurity incident? (Please select all that apply.) 

 Note: “Improved” group includes respondents who noted “Strongly agree” and “Somewhat agree” with the statement: My board's understanding of cybersecurity today has significantly improved, compared to two years ago. The “No improvement” group includes “Strongly disagree”, “Somewhat disagree,” and “Neither agree nor disagree.”

2025 NACD Public Company Board Practices and Oversight Survey, Improved: n=121, No improvement, n=28 

Why It Matters

The current environment is characterized by the growing sophistication of cyber-threat actors, the increased speed with which cyber threats can deliver material impacts to businesses, and the AI innovations which are introducing new threats. Boards will need to maintain and build on the cyber-risk oversight improvements they have made in recent years.

Companies face a growing number of nation states and cyber-criminal groups that leverage AI tools like ChatGPT to scale their operations and tailor cyberattacks for greater effectiveness. One report highlighted a 442 percent increase in voice phishing attacks driven by AI-generated impersonation and deepfake tactics. Geopolitical developments around the world have the potential to drive well-resourced nation-state actors to expand their activities in the cyber realm. For example, business leaders were placed on high alert in anticipation of attacks by Iranian-linked hackers during the Israeli-Iranian conflict.

Accompanying the growing sophistication is the speed and scale with which cyber threats can impact businesses. Breakout time for cyberattacks continues to shrink, with one report stating that the average breakout time has reached an “all-time low” of 48 minutes. The interconnected nature of modern business means a cybersecurity incident or service outage can quickly cascade throughout a sector, causing material losses across multiple businesses.

This situation necessitates a board focus on the organization’s preparation and resilience. This includes placing greater emphasis on effective cyber-incident response and evaluation of cyber-risk impacts from multiple perspectives including financial, technical, and operational.

What Boards Should Do

Overcoming the challenges directors highlighted in the data, boards can focus their attention on improving the overall board’s cybersecurity education, more formally delegating cybersecurity oversight to the board’s standing committees, continuing to work with management to more directly link cybersecurity metrics to the organization’s strategy, and routinely evaluating the organization’s and board’s ability to respond to cyber incidents quickly and effectively.

While directors highlighted improvements in their understanding of cybersecurity, boards can consider performing more full-board cybersecurity education to help elevate each director’s understanding of the cyber-threat landscape and the major threats facing the organization. With only 36 percent of boards performing this type of education, boards could see improvements with director engagement in cybersecurity discussions due to a shared, baseline understanding across the full board.

The continued evolution of technology and business operations will require increased attention to the organization’s evolving cyber-risk profile. The board should consider more formally assigning cybersecurity oversight tasks to the risk committee, creating a cybersecurity subcommittee where cyber-risk oversight responsibility is already delegated, or whether to establish a dedicated technology and cybersecurity committee.

Lastly, to confront the growing speed and scale of cyber threats, ensuring the company maintains a robust incident response plan is essential to mitigating business impact and maintaining stakeholder and shareholder trust. While many board members reviewed their organization’s incident response plan, participating in or evaluating a simulated test of the organization’s plan—a growing practice which nearly one-third (32.7%) of respondents conducted in the last 12 months—can help board to validate the effectiveness of the plan, ensure it is fit for purpose, and further improve the board's performance in such situations.

Explore more related data below, or return to the 2025 NACD Public Company Board Practices and Oversight Survey.