Working with the Board of Directors Cyber Risk A Strategic Imperative for Security Leaders

1. The Board’s Role in Cybersecurity Oversight

•  Boards are responsible for strategic oversight, not operational management.

• The Board’s role of strategic oversight means the Board is in a fiduciary role and has a duty of loyalty and to provide active oversight over corporate governance and risk management. In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996).

• The fiduciary duty includes ensuring protocols are in place and monitoring their execution without overstepping into management roles.

• Oversight includes: o Setting cybersecurity as a strategic priority.

  o Defining risk appetite.

  o Reviewing strategy and performance metrics.

  o Allocating resources.

  o Fostering a culture of security awareness.

2. NACD’s 6 Guiding Principles for Cybersecurity Oversight

These principles from National Association of corporate Directors offer a framework for the Board’s engagement:

• Treat cybersecurity as strategic enterprise risk.

• Understand legal obligations.

• Establish oversight structures.

• Implement cyber risk management frameworks.

• Measure performance and exposure.

• Promote systemic resilience and collaboration.

3. Strategic Communication with the Board

• CISOs must translate technical risks into business impacts.

• Use clear, non-technical language and visual dashboards.

• Focus on strategic risk, regulatory compliance, and decision-making support.

• Include forward-looking insights and follow-up on prior inquiries from the Board.

4. Legal and Regulatory Context

• The SEC has established very specific requirements for its regulated companies which also serve as persuasive guidance for all Boards.

• Boards must understand legal and disclosure obligations, especially those established in the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules (July 26, 2023; eff Dec. 15, 2023) (Title 17 CFR 229.106).

• Misleading or incomplete disclosures can result in significant penalties (e.g., SolarWinds, Unisys, Avaya, Check Point, and Mimecast cases).

• “Material cybersecurity incidents” must be disclosed within 4 business days via Form 8-K, Item 1.05.

• Disclosure of not yet determined material incidents should not be under Form 8-K, Item 1.05 (material events) but under Item 8.01 (any events).

• “Material cybersecurity incidents” must also be disclosed annually in Form 10-K (annual disclosures).

• The Board’s oversight cyber risk management, strategy, and governance, and the processes by which the Board or a committee is informed of such risks must also be disclosed annually in Form 10-K.

5. Collaboration Between GC and CISO

CISOs and GCs should work together to:

•  Align cybersecurity with enterprise risk management.

•  Frame cyber risks in terms of business and legal impact.

•  Develop a common language for discussions with the Board.

•  Provide joint briefings that integrate legal and technical perspectives.

6. Building a Cyber-Resilient Culture

•  The Board sets the tone for resilience.

•  Key elements include: o Leadership modeling good practices. o Awareness training.

  o KPIs tied to performance.

  o Safe reporting channels.

  o Treating incidents as learning opportunities.

Shawn Tuma

Partner

Cyber | Data | Artificial Intelligence | Emerging Technology Practice Group Leader

Plano Office Managing Partner

972.324.0317

stuma@spencerfane.com