Assessing the Board’s Cyber-Risk Oversight Effectiveness

In brief: This tool helps directors outline key questions to pose to their senior management teams to provide effective cyber-risk oversight. The tool then provides a numerical scale for assessing the board’s cyber-risk oversight effectiveness. This brief was written by Thompson Reuters and originally appeared in Cyber-Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards.

This resource can help your board to

• pose questions to management to assess key cyber risks,

• provide oversight of the corporation’s cyber-risk landscape, and

• evaluate the board’s understanding of cyber risks facing the organization.

 Most relevant audiences: Risk committee chairs, risk committee members, and CISOs

This tool helps directors identify which questions to ask senior management and outlines a numerical scale for assessing the board’s cyber-risk oversight effectiveness.

Board leaders wishing to incorporate a cybersecurity component into their board’s recurring self-evaluation can use the questions in the table below as a starting point.

Questions Directors Can Ask to Assess the Board’s Cyberliteracy

1. Can all directors effectively contribute to a robust conversation with management about the current state of the company’s cybersecurity? In which areas does our lack of knowledge/understanding of cyber matters prevent effective oversight?