Bloomberg Law's "Cyber−Risk Oversight Practices of Public, Private Boards" compares and contrasts public company and private company board cyber risk oversight practices based on the result of the NACD's 2019-2020 Public Company Governance Survey and 2019–2020 Private Company Governance Survey.
The top seven oversight practices for both public company and private company boards were:
- Reviewing the approach to protecting critical data assets against cyberattacks
- Communicating with management about types of cyberrisk information the board requires
- Reviewing significant cyber threats and response plans
- Reviewing cyberbreach response plans
- Assessing employee negligence or misconduct risks
- Assessing third−party risks
- Reviewing cyber insurance coverage
The practice least engaged in by both public and private company boards was leveraging external advisors to understand the risk environment.
Also notable: 60% of public companies scheduled "cyber risk" at least once on the board agenda over the last year compared to 40% of private companies. This compares to 75% of Society public company member respondents to the Society/Deloitte "Board Practices Report: Common threads across boardrooms" (released last year) reporting at least an annual frequency of cyber issues on the board agenda.
See our recent report: "Board Cybersecurity Oversight - One Size Fits One" and additional information & resources on our Cybersecurity/Data Privacy and Board Practices/Governance Practices pages. This post first appeared in the weekly Society Alert!