Home > Risk > Board Governance of Cyber Risk

Board Governance of Cyber Risk

Three respected organizations (PwC, National Association of Corporate Directors, and the World Economic Forum) have collaborated in a post on the Harvard Law School Forum on Corporate Governance.

Their piece, which merits our attention and analysis, is entitled: Principles for Board Governance of Cyber Risk.

It makes a number of excellent points but goes astray on a few as well.

I will use a couple of new metaphors to make some very important points that don’t seem to be well understood.

But first, the good stuff, with my comments:

  • As with any major enterprise issue, it is important for the board of directors and leadership to set the tone at the top and define how their organizations must address cybersecurity.

Comment: the board is there to provide oversight, not to manage the organization. Their job is to obtain assurance that (a) management is setting and walking the right tone, and (b) is also taking the right risks for success (including those relating to cyber) through informed and intelligent decisions. They need to obtain assurance that management is addressing cyber effectively, not to define how they should do so.

  • Cyberthreats are persistent, strategic enterprise risks for all organizations regardless of the industry in which they operate. Effective organizational cybersecurity directly contributes to both value preservation and new opportunities to create value for the enterprise and larger society. Navigating this risk requires a culture of cybersecurity with leadership commitment to, and modelling of, good cybersecurity decision-making.

Comment: Kudos to the authors on this point. I would add that cyber needs to be considered in tactical as well as strategic decision-making.

  • Key considerations include:
    • Hardwire cyber-risk considerations into key operational and strategic decision-making process, including the adoption of cyber risk as a recurring agenda item for full board meetings.
    • View each major new digital transformation initiative through the lens of cyber risk.
    • Determine which board committee should have primary oversight of cyber-risk issues.
    • Analyse cybersecurity issues with respect to their strategic implications and as part of enterprise risk; additionally, analyse business strategy and business model considerations with respect to cybersecurity issues.
    • Ask executives to identify opportunities to use cybersecurity as a market differentiator/ business driver.

Comment: There is a major risk of treating everything cyber in a silo, rather than as only one of the risks and opportunities being taken or addressed by a decision. Instead, the board should satisfy itself that management is taking a more holistic and inclusive view of all the things that might happen, not just cyber, when it makes strategic and tactical decisions. I will return to this later with a metaphor.

  • In order for organizations to make effective business decisions, risk determinations should focus on the financial impact to the organization, including trade-offs between digital transformation and cyber risk. By using scenario planning, leaders in the organization can consider potential gains and losses relative to other business priorities and obligations. Leaders should also measure cyber risk (empirically and economically) against strategic objectives, regulatory and statutory requirements, business outcomes and cost of acceptance, mitigation or transfer.

Comment: the financial impact is only one dimension of how an organization can be affected. It is not always the best measure. I far prefer what is implied in the last sentence: measure the effect on the likelihood and extent of achieving enterprise objectives.

Comment: scenario analysis is an excellent tool, and I commend the authors for suggesting it.

  • Review and approve the organization’s cyber-risk appetite, or tolerance, in the context of the company’s risk profile and strategic goals by ensuring management has:
    • Defined cyber-risk appetite levels in financial terms to inform decision-making and developed key metrics to measure overall cyber-risk management performance
    • Implemented a programme that seeks to identify cyber-risk scenarios that align with the organization’s risk profile and establish a risk appetite
    • Provided the board with detailed rationales for the organization’s determination of materiality of risk, including cyber risk, based on an indication of the risk’s reputational, customer, financial and other relevant impacts as part of its regular risk-management monitoring framework

Comment: while I generally support limits to guide decision-makers, the idea of cyber risk appetite strikes me as absurd. I have criticized the concept of risk appetite at enterprise level before, but to suggest you can have one for cyber by itself leaves me without words. As explained before and I will cover shortly in a metaphor, deciding on acceptable levels of each source of risk without either the context of reward or the context of other sources of risk is likely to result in poor decisions.

Comment: I do agree, however, that management needs to explain why it believes cybersecurity is or is not effective, given what might happen and its potential (range of) effects on the organization’s success.

  • The board needs to consider not just the economic upside of the new market but the economic downside of the cyber risk. Management should provide the board with an empirical and economic assessment of the probable extent of cyber risks versus the probable business advantages using modern risk-assessment techniques that enable such analysis.

Comment: Excellent – as long as the full context is included in the analysis.

  • Effective governance of any enterprise requires clear alignment between cyber-risk management and business objectives across every facet of decision-making, including mergers and acquisitions, business transformation, innovation, digitalization, pricing, product development, market expansion etc… …. Require management to integrate cyber-risk analysis into significant business decisions (e.g. launching a new product or publishing an app).

Comment: Again, excellent.

  • Consider periodic audits, reviews of cybersecurity strength and benchmarking by independent third parties.

Comment: I agree but note that neither here nor in their list of “Executives who can support the board’s understanding of cyber risk” is the internal audit function mentioned – a glaring and terrible omission.


It is now Storytime.


A couple is considering taking the family on a road trip to visit family in Philadelphia. It will take most of the day to get to there and they plan to spend at least a couple of days before heading back. They realize that:

  • Their oldest child, Jonathan, might be developing a cold or worse. While he doesn’t have a fever, he is coughing and is unusually subdued. They decide that a mild cold is acceptable and should not prevent their taking the trip.
  • Sometimes, their twin girls fight over access to their favorite toy. This can lead to excessive noise, tears, and a need for calming parental attention. They have been calm for the last few days, but a long trip could be a problem because they would get bored. The couple decide that possibility is not sufficient to deter them from seeing family.
  • The weather forecast indicates a slight possibility of hailstorms. They are willing to take their chances, even though it might scare the children.
  • One of the reasons for visiting this week is that their uncle and aunt plan to be there as well. However, the uncle is recovering from illness and there is a chance that they will have to stay home and not be part of the family event.
  • The wife’s boss has told here there is a possibility, which she puts at 30%, that the wife will have to work during the trip. This could probably be done remotely, but it would clearly affect everybody’s enjoyment. Again, they decide that this is a possibility they could handle.

Considered individually, each of the ‘risks’ are acceptable. If just one of them happened, they would be OK. But if more than one occurred, they would probably regret making the trip.

However, as they are thinking through the situation the wife gets a call from a recruiter. Can she come to Philadelphia for an interview? It’s a position she is keen to get, even though it would require the family moving.

The opportunity outweighs the downsides, and the decision is an easy one to make.


In the same way, considering cyber by itself is unwise. For example, imaging this:

  1. Management is considering moving forward with a new technology. Let’s say that there is a 15% possibility that a breach would occur as a result of a new vulnerability that would have unacceptable consequences (however you determine that – again, my preference is to measure the effect on the likelihood and extent of achieving objectives). Management and the board may decide that is acceptable.
  2. There is also a 15% possibility that the new technology would be seen as anti-competitive by the regulators in the EU, to the extent that significant harm would be incurred. Management and the board are aware of this, have consulted with independent experts, and are willing to take the chance.
  3. While one of these sources of risk may be acceptable on its own, the possibility of one or the other occurring is more than the 15% for either one alone. This could change the decision.
  4. While the overall situation may now be considered unacceptable, management has to decide what to do about it. They need to consider whether to invest resources and time into cyber or compliance. The latter may be easier, cheaper, and faster to achieve.


It is still Storytime.


Jane, the CEO needs to replace the CFO, who is retiring. She has relied extensively on his experience and technical knowledge when it comes to leading the Finance team, including handling not only the accounting and financial management functions, but also advising her on acquisitions and other key decisions.

She needs to find an individual with whom she is comfortable, trusting him or her to run a major part of the business and help the entire management team be successful.

She doesn’t want to have to monitor his decisions and challenge his decisions.


The CEO is with the business every day.

The board members are not.

Rather than seeing their responsibility as one of “defining how their organizations must address cybersecurity”, they need to make sure management is capable of running the business.

Members of the board do not have time to get in the weeds. But they do have the time to ask intelligent questions and require that management explain to their satisfaction whether issues like cyber and other topics of the day are being addressed.


Personally, I like the idea that board members require management to explain:

  • Why they believe they are making the intelligent and informed decisions necessary for success, considering all the things that might happen.
  • Why they believe their processes for the identification, assessment, evaluation, and responses to all the things that might happen (both risks and opportunities) are reliable.
  • Why they believe they have an appropriate level of cybersecurity – and are managing other sources of business risk, such as ethics and compliance, third party relationships, technology development and use, competition, and so on.


So, my principles for effective governance of cybersecurity are much simpler:

  1. Remember yours is an oversight role. Hire the right people and let them do their job with your help.
  2. Noses in, fingers out.
  3. Require that management explain to you why they believe everything is as it should be.
  4. Ensure internal audit has the resources and ability to provide you with the assurance you need on major sources of risk, which would probably include cyber.


I welcome your thoughts.

  1. June 29, 2021 at 9:03 PM

    Good point on how risks are interdependent, and digital risks can have the same catastrophic impact as a natural disaster.

    We need to use a wider lens when we consider the role of Digital Transformation. Cyber risks are part of digitalization (technology) which in turn is part of the 3 pillars of digital transformation. The 3 pillars are people/culture, business model transformation, digitalization/technology. If it sounds like ESG, it is ESG 🙂

  2. Anonymous
    July 11, 2021 at 11:24 PM

    Thanks Norman for the value add to this article.
    Sometimes i wonder how you manage this site….you are very deep yet it sounds very conversational….do you have PAs to orgnaize your thoughts or you do it yourself….may be with a speak-spell-and-write App? Anyway thanks for your well thought out additions…especially how PWC et all forgot about the role of IA in cyber risk management

    • Norman Marks
      July 12, 2021 at 6:34 AM

      Dear Anon, its all me. Thanks for the nice words.

  1. June 28, 2021 at 1:20 PM
  2. June 30, 2021 at 1:16 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: