Bloomberg's "Cyber−Risk Oversight Practices of Public and Private Company Boards of Directors" (Word version) compares and contrasts public company and private company board cyber risk oversight practices based on the result of the NACD's 2018-2019 Public Company Governance Survey and 2018–2019 Private Company Governance Survey.
This graphic shows the top three and the bottom three practices among public and private company respondents based on 16 cyber risk oversight practices boards engaged in over the past year:
Notably, even though board participation in simulation exercises of the company's cyber breach response plan ranked last, board review of the company's cyber incident response plan ranked high - at #5 and #4 in the Public Company Survey and Private Company Survey, respectively. Also common among public companies: receiving briefings from internal advisers (e.g., internal auditors, CISO or GC) - ranking at #4 with 60% of respondents (ranked #5/~40% for private companies).
The article also notes the main areas of divergence between public company and private company board oversight practices, some of which are expected based on the differing challenges and pressures public and private companies ordinarily encounter.
See last week's reports: "Board Cybersecurity Oversight: Directors Speak!" and "Cybersecurity Oversight Practices Vary"; the National Cyber Security Centre "Board Toolkit"; and additional information & resources under Board Oversight and Surveys/Studies on our Cybersecurity/Data Privacy page, and on our Board Practices/Governance Practices page. This post first appeared in the weekly Society Alert!