The Cyber Gap: Are You Leaving Your Board Exposed to Rising Risks and Liability?

The cyber threat landscape is evolving faster than most companies can keep up with, leaving many boards unknowingly exposed. To address this gap, NACD Northern California convened directors, chief information security officers, and chief technology officers for a private dinner and peer-to-peer discussion led by cybersecurity experts Stephen Singh and Rob Sloan, along with insurance leader Joseph Talmadge.

KEY TAKEAWAYS

Cyber Liability & Insurance

• Cyber insurance terms, exclusions, and coverage change annually—directors must demand regular reviews.
• Active monitoring models now shape coverage and return on investment (ROI).
• Gaps remain around war and terrorism exclusions, third-party vendor coverage, insider threats, emotional and physical harm, and deepfake impersonation. Make sure to know where these gaps lie.
• Premiums are starting to ease after years of increases, but policy complexity and risk overlap are intensifying.

Threat Landscape

• Insurance trends are shifting from physical to digital exposures, with carriers using real-time data and cyber controls to underwrite and price coverage—making digital resilience core to enterprise risk management.
• Phishing now requires no clicks; bad actors are innovating faster than defenses.
• Artificial intelligence (AI) (e.g., agentic AI, automated random attacks) is enabling scalable, low-skill, multi-victim cybercrime.
• Quantum computing threatens to break encryption, raising long-term risk scenarios—when should boards begin seriously considering this as a risk?
• Nation-state and organized-crime boundaries are blurring, complicating coverage and accountability.

Governance & Committee Best Practices

• Seventy-five percent of S&P 500 boards still rely on audit committees for cybersecurity, but leading practice is to have dedicated audit and risk committees or cybersecurity-focused sub-committees.
• Cybersecurity can potentially fall under the audit committee with mid-quarter cybersecurity calls and annual or full-board deep dives, which are a good way to manage cyber risk.
• Boards need baseline governance plans, such as frameworks (from the National Institute of Standards and Technology and International Organization for Standardization), telemetry-based reporting, and escalation triggers.
• Federal Bureau of Investigation briefings and tabletop exercises are considered best practice.

Zero Trust & Risk Quantification

• Unlike the old “castle and moat” model—where once inside the walls you were trusted—zero trust assumes no one is trusted by default, requiring constant verification of every user, device, and transaction.
• Telemetry evidence strengthens insurance negotiations and demonstrates ROI.
• The challenge is not just technical—it requires C-suite mindset shifts and cultural adoption.
• Consider who is presenting the cyber risk to the board and if there is strategic insight to this rather than solely a check-box exercise.

Broader Risk Context

• Cyber risk now intersects with digital assets, environmental risk, bodily harm, and directors and officers (D&O) coverage.
• Ransom payments via cryptocurrency raise disclosure concerns if digital currency is on the balance sheet.
• Tone from the top is key—cultural reinforcement (e.g., questioning “urgent” requests) reduces successful attacks.

Boardroom Questions

• What are the key exclusions in our policy, and do they reflect emerging threats like AI, deepfakes, and quantum?
• Does our insurance cover third-party/vendor risks?
• How does management quantify potential financial loss from cyber incidents?
• If we adopt zero trust, how will it change our premiums and risk profile?
• Who negotiates our cyber insurance, and are they technically fluent in cyber risk?
• What tabletop scenarios are we running to test ransomware and deepfake response, and who is involved?
• Do we need to prepare for quantum risk?
• Do we have a formal AI acceptable-use policy?
• Where are the geopolitical hotspots relevant to our sector and are they included in our insurance policy?
• Where in our structure should cyber oversight live—audit, risk, or a dedicated cybersecurity committee?
• Do we have a policy defining materiality to our organization?
• Can management show the ROI of zero trust in terms of reduced loss exposure?
• Do our insurance policies cover digital assets if used in ransom payments?
• How do cyber policies interact with D&O and other coverages in overlapping incidents?

Thank you to our generous partners for making this event possible.