Bloomberg Law
US Law Week
LinkedIn

Board Directors Are Taking the Lead on Cybersecurity Oversight

Feb. 5, 2025, 9:30 AM UTC
Amy Rojik
Amy Rojik
BDO

Corporate board directors are taking financial and cultural action to protect their organizations against cybersecurity risks—and build resilience for future challenges—by fostering a culture of shared responsibility, creating access to good data, and using proactive incident response strategies.

Alongside increased investments, 37% of directors report expanding accountability by shifting the treatment of cyber risk from an IT responsibility to a company-wide responsibility, according to BDO’s 2024 board survey.

Directors are benefiting from timely updating and testing incident response plans. During a recent broad-reaching software update issue involving a third party, one organization credited its recent cloud migration and its use of a real-time business model for a quick recovery. Another organization cited effective tracking and clear communication with staff as the key to implementing a quick, coordinated response.

Regulatory compliance adds a layer of complexity. The Securities and Exchange Commission’s cybersecurity disclosure rules have heightened the need for timely, transparent, and accurate reporting of material cyber incidents. The rules also have expanded information about a company’s cybersecurity strategy, risk management, and governance.

Boards need to determine whether operational leaders such as chief information security officers and chief information officers, financial reporting leaders such as chief financial officers, and others are clearly defining parameters when identifying a material cyber incident for their specific organization. This can be challenging because information about an incident may evolve over time.

Here are some other cybersecurity actions that boards and their directors should consider.

Enhance oversight beyond what’s required. Arrange external assessments to validate cybersecurity strength, establish clear internal processes for reporting incidents, and integrate cyber response plans within a broader crisis management framework. This can create a more cohesive approach to managing incidents.

Monitoring competitor disclosures and benchmarking against the organization’s own practices can offer additional insights into risks and industry standards.

Regularly evolving tabletop exercises can further harness lessons learned from reported cyber incidents. These types of activities allow boards and management to test and refine responses for future cyber incidents.

Bolster board expertise in technology and cybersecurity. While the SEC’s rules stopped short of requiring board to disclose whether they have cyber experts, specialized skills are in demand within the boardroom.

The top experiences sought in 2025 include technology implementation (31%) and cybersecurity (27%), according to BDO’s 2024 board survey. To keep up with these evolving needs, many directors are dedicating an average of 42 hours a year—roughly 15% of their reported board service hours—to independent education and research to learn about rising risk areas and enhance their ability to bring value to their boards.

Other ways boards are accessing expertise is by ensuring managerial competence, planning for director refreshment, and partnering with external advisers and subject matter experts to support oversight and management actions.

Advise and guide management teams. Directors and management should work together to foster a culture of technology risk awareness across the organization. This includes asking how enterprise risk management systems integrate technology risks and requesting data-driven insights to understand competitors’ technology use and broader industry trends.

Directors should ensure a multidisciplinary group of stakeholders is meeting to establish ethical guidelines on acceptable (and unacceptable) uses for emerging technology and to practice good data hygiene. This group should advance privacy protocols and procedures that govern technology use, particularly for generative AI, to mitigate risks and promote responsible innovation.

Balancing risk and innovation is a complex but critical endeavor. Boards and management teams must meet customer demands swiftly, remain competitive, and fulfill stakeholder expectations, all while upholding rigorous risk management and demonstrating sound oversight.

Forward-thinking directors understand that the relationship between opportunity and risk is symbiotic. Effective oversight not only mitigates threats but also enables the organization to seize opportunities with confidence.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Amy Rojik is a principal in BDO’s national professional practice and directs the Center for Corporate Governance that oversees the firm’s communications and governance efforts.

Write for Us: Author Guidelines

To contact the editors responsible for this story: Rebecca Baker at rbaker@bloombergindustry.com; Melanie Cohen at mcohen@bloombergindustry.com

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.