Blogs

In NACD BoardTalk's "Keeping Up with Breaches: What Your Board Can Learn from Proxy Disclosures," PwC's Paula Loop shares instructive board cybersecurity oversight practices distilled from proxy statements of companies that have successfully managed a significant breach, which she determined generally include more robust proxy disclosure than "less experienced" companies:

• Boards/board committees are holding private sessions with the CISO or CIO to facilitate candid and confidential communications, clarify matters discussed in previous committee meetings, and talk about sensitive topics like key risks and the adequacy of the cyber budget and resources.
• Companies are retaining third parties to provide an outside perspective on the company's cybersecurity program. Loop suggests these parties present their findings or points of view to the full board or the committee responsible for cybersecurity oversight even if they are hired by management.
• Companies are leveraging the Internal Audit function for independent testing of cyber-related internal controls (e.g., user access control management, security controls, third-party vendor management). IA may also be tapped to follow up on the results of penetration testing and suggestions for improvement.
• Boards are actively participating in overseeing management's cyber response and recovery plan.
• Boards are incorporating cyber risk into their strategy discussions relating to ongoing businesses and emerging technologies in new business areas.
• Briefings to the board on the threat environment and the company’s progress in addressing cyber risks seem are averaging about twice a year, with certain industries indicating that they are conducting briefings quarterly.