Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular time on board meeting agendas.
Board directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
Board–management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.