A recent member-requested Society Quick Survey on Board Cybersecurity Oversight garnered responses from about 144 members, which can assist other members with benchmarking their board practices in this area.
Noteworthy results include:
- Companies' CIOs (or other senior executive) most commonly report to the full board relating to cybersecurity risks annually (40%). Semi-annually and "Other" tied (each about 15%) for the second-most common frequency of reporting to the full board - with a number of the "Other" responses reporting quarterly either directly from management to the full board or indirectly from management to the full board via the audit committee.
- Companies' CIOs (or other senior executive) most commonly report to a board committee (typically the audit committee - at nearly 75%) regarding cybersecurity risks semi-annually (23%), with "more than semi-annually" ranking a close second at approximately 22%.
- More than 80% of respondents' companies have cyber incident response plans. Board involvement in most cases (~65%) consists of the board receiving periodic reports relating to the plan. Few boards actually approve the plan.
Access our abundance of additional cybersecurity board oversight and benchmarking resources.