Assessing the Board’s Cyber-Risk Oversight Effectiveness

The focus on the board’s compensation committee has never been sharper. The components of compensation plans and the link between compensation and company performance are under intense scrutiny from shareholders, employees, policymakers, the media, and other stakeholders. The Report of the NACD Blue Ribbon Commission on the Compensation Committee revisits NACD’s 2003 Report of the NACD Blue Ribbon Commission on Executive Compensation to highlight the new environment in which compensation committees—and, more broadly, boards—are now operating. It recommends that the compensation committee and board work together to establish an executive compensation philosophy that supports the company in creating long-term, sustainable value.

The report includes ten specific recommendations for compensation committees to consider when evaluating their compensation philosophies. It also provides practical tools, such as sample compensation committee charters, a compensation committee assessment, and guidance on executive employment contracts.

In brief: This tool helps directors outline key questions to pose to their senior management teams to provide effective cyber-risk oversight. The tool then provides a numerical scale for assessing the board’s cyber-risk oversight effectiveness. This brief was written by Thompson Reuters and originally appeared in Cyber-Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards.

This resource can help your board to

• pose questions to management to assess key cyber risks,

• provide oversight of the corporation’s cyber-risk landscape, and

• evaluate the board’s understanding of cyber risks facing the organization.

 Most relevant audiences: Risk committee chairs, risk committee members, and CISOs

This tool helps directors identify which questions to ask senior management and outlines a numerical scale for assessing the board’s cyber-risk oversight effectiveness.

Board leaders wishing to incorporate a cybersecurity component into their board’s recurring self-evaluation can use the questions in the table below as a starting point.

Questions Directors Can Ask to Assess the Board’s Cyberliteracy

1. Can all directors effectively contribute to a robust conversation with management about the current state of the company’s cybersecurity? In which areas does our lack of knowledge/understanding of cyber matters prevent effective oversight?