NACD Cyber Report Finds Improved Reporting to Boards

A report from the National Association of Corporate Directors’ Risk Oversight Advisory Council reviews emerging corporate board practices in cyber risk oversight. According to the report, the quality of cyber risk information provided to boards has improved, with roughly 83 percent of public company directors and 68 percent of private company directors reporting that the quality of cyber-risk information provided by management has improved in the past two years. The report discussed several ways in which boards can assess the level of reporting provided by management, including the following considerations:

• Management’s communication to the board should be flexible enough to reflect the changing cyber threat environment, as well as evolving company circumstances and board needs. For instance, boards may request additional meetings with the chief information security officer in the aftermath of a cyber incident, during times of increased threats, or to familiarize newer directors with the firm’s cybersecurity program.
• NACD council members advise that board members or relevant board committees regularly consider the format and content of cyber-risk reporting to ensure that it remains fit for purpose. Basic reporting may include emerging cyber threats and how they relate to the company, how the company’s performance in terms of cybersecurity metrics compares to other firms, and quarterly overviews of trends, hot topics, regulation, and recent attacks.