We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Owning Cyber Risk: Four Tips for Boards/CEOs

Posted by Tom Fuhrman 26 October 2015

Although most boards of directors and CEOs now recognise cyber security and discuss it frequently, many would benefit from doing more to take ownership as key stakeholders of cyber risk management.

Consider that only 14% of corporate directors believe their boards have a high level of understanding of the risks associated with inadequate cyber security, according to the 2015–2016 National Association of Corporate Directors (NACD) Public Company Governance Survey. And 31% of responding directors said they were either “dissatisfied” or “very dissatisfied” with the quality of information from management about cyber security.

What is the best way for boards and CEOs to own cyber risk? Here are four steps to get started:  

  1. Establish a culture of cyber security. Making it clear that cyber risk is everyone’s responsibility sends a clear message about the important role everyone plays in cyber security.
  2. Train board members and senior executives. Suitable training – including seminars and scenario-based incident response exercises – can help make the board and C-suite more conversant about cyber risk and more engaged in its management.
  3. Align cyber risk with your overall risk management strategy. Define the organisation’s tolerance for cyber security risk. These important parameters, defined by senior management, refer to thresholds of financial impact that the business can incur due to cyber incidents. Additionally, particularly at senior levels, cyber risk should be described in terms of loss events (expressed in dollars) and the likelihood of those events (expressed as percentages within a timeframe). This will help get cyber “on the same page” as other enterprise risks.
  4. Use programmatic and strategic indicators. In managing cyber risks, expect management to define and regularly report both key performance indicators (KPIs) describing progress toward cyber security programme objectives, as well as forward-looking key risk indicators (KRI) that help leadership anticipate cyber threats and other developments that can have strategic implications for the business.

Increasingly, the leadership of a CEO or board is being judged partly by how they are driving their organisations to manage cyber security risks. Taking ownership of cyber risk at the top is a critical first step.

Tom Fuhrman