Home > Risk > Advice for boards (and practitioners) on cyber

Advice for boards (and practitioners) on cyber

Brian Barnier recently reminded me of a paper that he helped develop for the International Corporate Governance Network (ICGN) in 2016. Cyber Risk: ICGN Viewpoint is a good read.

I like these points:

  • Companies and their investors are increasingly concerned about risks associated with misuse of information and communication technology, whether as a result of poor implementation of data systems, missed opportunities to adopt key innovations or failure to protect a business from malicious acts (which are often labelled “hacking” and “cyber” attacks).

Notwithstanding their technical complexities the broad scope and potential gravity of cyber risks are such that these risks must be understood and proactively overseen by company directors as a matter of good corporate governance…. Cyber related risks are defined as the range of risks related to information and communication technology that can impede the achievement of company objectives and investor returns.

  • It is important that cyber risk oversight is integrated with the strategy and risk management of the company, particularly with regard to identifying a company’s critical data and informational assets. Oversight of cyber risks should not be seen in isolation from the technology and business strategy and objectives to which they are related. On the contrary cyber risks should be addressed in an integrated approach across all risks to achieving business objectives.
  • Strategic decisions regarding technology should be integrated with broader business strategy and methods of managing risk in the strategy development process (such as overcoming bias) and the plan itself.


ICGN has questions board members can ask executives and investors can ask the company.

I have some that I suggest should be asked in addition to those in this and other papers.


The first are to the CEO:

  1. How do you consider cyber-related risks when you set and then make decisions related to strategy?
  2. How are these risks any different from other risks to our objectives?
  3. Do you agree with the risk assessment(s) developed by your team (whether the CISO or CRO)?
  4. Why do you believe you are taking the right risks? Are you sure (and why) that company resources are properly allocated between addressing risks such as cyber and opportunities such as new products and marketing campaigns?


Then I would turn to each of the executives in the room and ask them pretty much the same questions.

If the executives don’t understand and have ready and compelling answers to one or more of these questions, we have a problem!


These are questions that the board members should consider asking of the CEO and other top executives. (The CEO should not defer to the CISO as these are questions about the business and his or her ability to lead it intelligently.)

But practitioners should know the answers, help the CEO understand how cyber can affect the business, and be in a position to engage with the board as they discuss the questions.


What do you think?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: