Summary:

• Cybersecurity is an enterprise risk that requires active Board‑level oversight.
• Cyber incidents increasingly create legal, regulatory, and fiduciary risk for Boards and companies alike.
• Effective Board oversight of cybersecurity is built on a set of core, widely accepted principles.

Today, due to the dependence on data and the interconnectivity of business infrastructure, every company should see themselves as a technology company which means cybersecurity is no longer an IT issue but a core enterprise risk the business must be apprised of. And like any enterprise risk, meaningful oversight must start with tone from the top.

Within this landscape, a company’s Board of Directors (BoD) plays a critical role. The board is responsible for overseeing management’s strategy and ensuring that cybersecurity risks are identified, prioritized, and properly managed.

But what does effective oversight actually require?

First, it requires a clear understanding that oversight is not management. The BoD is not responsible for digging into the technical configurations, analyzing specific controls, or managing day‑to‑day security operations. Instead, the BoD is expected to set expectations, ensure accountability, and confirm that management has implemented appropriate controls to mitigate the risk of a cybersecurity incident.

In practice, though, boards often fall into one of two traps:

1. Staying too high‑level: Cybersecurity becomes a five‑minute annual update filled with broad assurances that “everything is under control,” with little meaningful insight into actual risks.

2. Getting too technical: Boards are overwhelmed with detailed metrics, dashboards, and jargon that do not translate into business risk or support informed decision‑making.

With cyber incidents increasingly leading to regulatory scrutiny, shareholder litigation, and questions about board governance, directors need a grounded, principled approach to their oversight responsibilities, ultimately allowing them to ensure they appropriately discharge their duties as directors as it relates to cyber risk.

While numerous resources offer guidance, they tend to converge around a core set of principles that every board should consider.

Key BoD Oversight Principles
 

1. BoDs should understand and approach cybersecurity as an enterprise risk.

Cybersecurity is no longer a standalone IT issue—it is a core enterprise risk that requires Board‑level ownership. Directors need a baseline understanding of the organization’s threat landscape and must ensure cybersecurity is embedded into strategy, governance, and culture. While adding a director with cybersecurity expertise can strengthen oversight, every board member should build foundational competency through ongoing education.

Cyber risk should be evaluated like any other enterprise risk: determine risk appetite, identify material threats, and oversee management’s decisions to avoid, mitigate, accept, or transfer risk (including through insurance). Cyber must be integrated early in discussions around mergers and acquisitions, product development, digital initiatives, and strategic partnerships. In short, cybersecurity should function as an integral component of enterprise‑wide risk management.

Practical implementation examples:

• Recruit or add a board member with cybersecurity expertise.
• Provide board‑level education through conferences, director‑training programs, or external briefings.
• Request periodic updates or training from qualified outside advisors.
• Set clear tone from the top that cybersecurity is a strategic priority.
• Require regular employee cybersecurity training to reinforce culture.
• Encourage resilience by supporting management’s engagement with industry and government partners.
• Ensure the Board receives at least annual cybersecurity updates from management.
• Dedicate sufficient agenda time for substantive cyber risk discussions.
• Document cybersecurity oversight and related decisions in board minutes and materials.

2. BoDs should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget.

Boards should expect management to adopt a standardized cybersecurity framework as the foundation for the company’s risk management program. Frameworks such as the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) offer a widely recognized structure for assessing, prioritizing, and reducing cyber risk. Directors do not need to understand each control, but they must understand how the organization measures against the chosen framework, where gaps exist, and what those gaps mean from a business‑risk standpoint.

Using a framework allows the Board to oversee whether management is making informed decisions to mitigate, transfer, or accept risk. The Board’s role is not to choose controls, but to confirm that a framework is in place, consistently applied, gaps are clearly identified, and resources are aligned with the level of risk.

Boards may also leverage external auditors, consultants, or vendors to conduct independent assessments. These reviews provide objective insight into whether the program meets framework expectations and where additional staffing, tools, or budget may be necessary.

Practical implementation examples:

• Adopt and document a standardized cybersecurity framework (e.g., NIST CSF 2.0).
• Conduct independent third‑party assessments benchmarking the program against the framework.
• Require clear written risk assessments identifying key gaps.
• Discuss material gaps with management to determine whether to mitigate, accept, or transfer risk.
• Allocate sufficient staffing and budget to address risks that will not be accepted or transferred.

3. BoDs should establish clear ownership, oversight structure, and access to expertise to oversee the implementation of the enterprise-wide risk management framework.

Cybersecurity oversight often requires more time and attention than the full Board can dedicate during regular meetings. For that reason, many Boards delegate oversight to a committee—typically audit, risk, or technology—while ensuring that cyber remains a full‑Board responsibility overall. The nominating and governance committee should clearly document these responsibilities within committee charters to avoid gaps or duplicative oversight.

The designated committee should receive cybersecurity briefings at least quarterly, with the full Board briefed at least annually—or more frequently as risks, incidents, or regulatory expectations evolve. While internal leaders such as the CISO provide essential insights, directors should maintain healthy skepticism and supplement internal reporting with independent expertise. Third‑party assessments, external auditors, IT vendor evaluations, and outside counsel can provide valuable, objective perspectives on cyber risks and program effectiveness.

Ultimately, the committee’s role is to verify that management is effectively implementing the enterprise‑wide risk management framework—not simply relying on internal assurances.

Practical implementation examples:

• Assign cybersecurity oversight to the audit or other designated committee.
• Ensure the committee receives quarterly updates from the CISO.
• Review internal audit reports and risk assessments regularly.
• Provide committee members direct access to the CISO outside formal meetings.
• Provide independent sources of insight, including third‑party assessments.
• Oversee operational management of key cyber risks, including:
  • Third‑party due diligence
  • Vulnerability and patch management
  • Threat intelligence
  • Backup protection and management

4. The board should ask for appropriate metrics that will allow them to understand the company’s overall cyber maturity as resilience as well as the level of threat.

Frameworks and standards help the Board—and any delegated committee—ensure completeness and consistency in the cybersecurity metrics they receive. But the quality of reporting matters as much as the framework itself. At a minimum, Board reporting should clearly explain how significant cyber risks are being managed and monitored at the business‑unit level. This requires clear, jargon‑free reporting that provides enough detail to inform decisions without overwhelming directors with technical complexity.

Many Boards now receive a cyber scorecard that summarizes key cybersecurity metrics in a consistent, comparable format. This enables directors to identify trends, assess progress, and pinpoint areas of elevated risk. Effective reporting should include both:

• Regular reporting on core and key risk indicators, and
• Rotating deep‑dives into emerging or high‑risk topics.

Above all, the Board must ensure management reports on the riskiest areas of the business—not simply the metrics that are easiest to collect.

Practical implementation examples:

• Require a CIO/CISO scorecard tracking risks, trends, and progress.
• Direct alignment of all metrics to a standardized framework (e.g., NIST CSF 2.0).
• Mandate consistent formatting to enable comparisons over time.
• Prioritize regular reporting on: breaches (internal/vendor), NIST CSF 2.0 maturity, top‑risk heat map, detection/response metrics, and remediation status.
• Schedule rotating deep‑dives on: cyber insurance, third‑party risk, incident response readiness, staffing/budget, and emerging tech risks.
• Insist on coverage of the riskiest business areas—not just easy‑to‑collect metrics.
• Document key questions and follow‑ups in board and committee minutes.

5. BoDs should be informed of legal and regulatory developments and understand the company’s process to meet those obligations in the event of a cybersecurity incident.

Cybersecurity laws and regulations continue to evolve, and Boards must understand the implications for their organization. This includes awareness of the categories of data the company holds, the notification obligations triggered if that data is compromised, and the processes and resources required to meet those obligations within tight statutory timelines. Boards should also understand the potential legal exposure for the company and for directors individually in the event of a breach, including as it relates to decision making around ransom payments.

Boards must oversee the company’s incident response process, including identifying the internal and external teams involved, confirming the process is clearly documented, and ensuring management is prepared to meet regulatory expectations. Importantly, one or more Directors will likely be a responsible decision maker as it relates to any potential payment of a ransom, and it is critical their obligations are understood prior to a live incident to ensure these directors fulfil their duties to the company and the shareholders, while also considering both company and personal legal risk. Participation in annual tabletop exercises can provide valuable insight into how reporting, communication, escalation, and decision‑making will operate during a real incident—and whether the company is operationally ready.

Practical implementation examples: 

• Ensure management receives training on legal and regulatory notification requirements.
• Establish clear procedures for reporting cybersecurity incidents to the Board.
• Review the incident response plan annually and ensure it is appropriate to be used in a live incident.
• Review the business resiliency and continuity plan annually.
• Participate in a tabletop exercise to understand reporting and decision‑making workflows.
• Pre‑select outside counsel and obtain insurance‑carrier approval in advance of a breach.
• Review relevant cyber insurance policies to understand available coverage.
• Have the board consider their position on ransom payments ahead of time, noting the ultimate decision will come down to the specifics of the incident and the impact on the business.

Conclusion

Cybersecurity oversight is now a core governance responsibility that reflects how seriously a Board approaches enterprise risk and organizational resilience. Effective oversight does not require technical mastery, but it does require clear expectations, informed questioning, and accountability for how management identifies and manages cyber risk. In a threat environment that continues to evolve, strong Board‑level engagement is essential to protecting both the organization and its leadership.
 

About the Author:

Ericka Johnson is a Partner at Nelson Mullins, where she advises clients—including boards of directors—on developing comprehensive cybersecurity programs, managing global incident response, and navigating regulatory investigations. She previously served as Global Cybersecurity Counsel for ByteDance and TikTok USDS, leading complex investigations, regulatory responses, and cross border breach management. A U.S. Marine Corps reservist, she also served as Cybersecurity Counsel during a combat deployment to Afghanistan.

About the Guest Author:

Laura Newton is a senior cybersecurity and data protection lawyer with more than a decade of experience advising on complex investigations, enforcement actions, and regulatory response across financial services and privacy regimes. She currently serves as Global Security Legal Counsel at TikTok, where she leads legal support for cybersecurity incidents, data security governance, and global regulatory engagement. Her background includes senior roles at leading international law firms, where she acted as lead counsel on numerous high-profile cyber and data incidents and regularly advised boards on cyber risks, as well as enforcement experience with Australian regulators focusing on corporate governance investigations, giving her a uniquely practical, cross‑jurisdictional perspective. Laura is admitted to practice in both California and New South Wales, holds an LL.M. with Excellence, and is CIPP/US certified. She brings a calm, strategic, and deeply hands‑on approach to navigating cyber risk in fast‑moving, high‑stakes environments.