Cyber Oversight Under Pressure

Cybersecurity continues to rise on the board agenda, as AI-enabled attacks, SEC cyber disclosure enforcement, supply chain vulnerabilities, and increasing director accountability reshape how cyber risk is governed.

Sam Curry, Bethany Mayer, Chitra Nayak, and Rob Sloan shared practical perspectives on managing cyber risk in both the immediate-response and longer-term-mitigation phases. Caroline Tsay addressed the evolving role of the audit committee and how CISOs can engage more effectively with boards, followed by a discussion led by Mike Armistead on strengthening board–CISO dialogue.

KEY TAKEAWAYS

Early Incident Awareness and Escalation: CISO Actions

• Inform the board early via informal channels, even with incomplete information.
• Clearly distinguish incident, breach, and material breach.
• Engage cross-functional leadership immediately.
• Initiate regulatory processes and consider early notification.

Board’s Immediate Oversight Priorities

• Understand what happened, who is responsible, and how response is managed.
• Ensure external counsel and forensics are engaged early.
• Confirm containment and identify unknowns.
• Watch for red flags such as delays or unclear ownership.
• Increase oversight during leadership transitions.

Materiality and Disclosure Decisions

• Materiality requires legal input; SEC disclosure within four days if material.
• Consider impact beyond financials (IP, data, systems).
• Account for global regulations (e.g., GDPR).
• Balance transparency with accuracy.

Board vs. Management Decision Boundaries

• Management handles response; board oversees critical decisions.
• Define escalation triggers clearly.
• Maintain structured briefing cadence.

Confidence in Management Response

• Driven by clear processes and tested response plans.
• Strong leaders show coordination and transparency.
• Red flags include poor preparation or isolation.
• Ensure continuity planning is in place.

Post-Incident Review and Strategic Implications

• Conduct immediate and delayed reviews.
• Reassess strategy and investments.
• Evaluate gaps in third-party risk and access management.
• Keep reviews blame-free to support learning.

Audit Committee Oversight and CISO Engagement

• Audit committee is primary oversight body.
• Link cyber risk to business impact.
• Ensure decisions can be made from briefings.
• Maintain ongoing dialogue with the CISO.

Common Failure Modes

• Overly technical reporting without business context.
• Too many metrics without prioritization.
• Limited board–CISO access.
• Communication misalignment.

Board-Level Best Practices

• Provide cyber training for directors.
• Test incident response plans regularly.
• Use independent assessments.
• Maintain structured CISO communication.

Agenda Time and Priority Setting

• Cyber topics compete for limited agenda time.
• Priority increases when tied to business impact.
• Ongoing dialogue is critical outside meetings.
• Consider dedicated risk or tech committees.

Expected Outcomes from Each Briefing

• Assess alignment with risk appetite.
• Enable decisions on investment and leadership.
• Highlight changes since last update.

Content That Drives Effective Oversight

• Contextualize external threats to company impact.
• Include people, culture, and third-party risks.
• Incorporate strategic topics regularly.
• Use benchmarking and third-party validation.
• Be transparent about gaps and needs.

KEY RESOURCES

The Director's Cut: Cyber Briefing
The Security Impact Circle
Board of Directors and CISO Communication Survey

Thank you to our partner for making this event possible.