Director’s Handbook on Cyber-Risk Oversight

Businesses around the world depend increasingly on technology, a digital revolution that has created both enormous rewards and exponentially expanding risks. The cyber-threat landscape we face today is more complex and dangerous than ever, with cybercrime expected to cost the world some $8 trillion dollars in 2023. With corporate reputations and revenue on the line—and given the broader implications for our national security, economic prosperity, and public safety—we must think differently. 

For decades, cyber risk was considered part of information technology (IT) risk, and its oversight was largely delegated to engineering and security teams within an organization. More recently, however, in large part thanks to the five principles highlighted in previous versions of this thoughtful handbook, corporate leaders have begun to see cyber risk for what it is: a strategic, enterprise risk, which they—not their CISOs—own. Today, given our complex, dynamic, and highly interconnected environment, boards and company leadership must now consider the broader picture and the critical role they play in their company’s and in society’s resilience. 

We need a new model of sustainable cybersecurity. One that starts with a commitment at the board level to incentivize a culture of corporate cyber responsibility in which managing cyber risk is treated as a fundamental matter of good governance and good corporate citizenship, a recognition highlighted in these pages with the inclusion of a sixth core principle for board oversight—the need for boards to encourage systemic resilience through collaboration.