Board expectations for cyber security

As we all come back from the Christmas break and gear up for another year of activity, it’s timely for boards to consider the state of cyber security in the organisations they are responsible for. Here is a simple checklist which should help to give some surety that the management team have the right procedures and protective measures in place.

  1. Is there a regular report on cyber security that is presented to the board?  Does it contain enough information to allow board members to understand the current risks and to see that progress is being made to reduce them?
  2. Does the organisation undertaken annual cyber security reviews? Have the risks raised been evaluated and addressed? Not addressing identified risks can invalidate cyber insurance cover, and may have other  negative impacts (as well as the obvious risk of a cyber security incident).
  3. Is there a plan in place to improve overall cyber security? This is often less about addressing specific risks and more about ensuring that there are the right internal policies, procedures and standards in place to minimise the chance of risks and incidents appearing. There are various  good practice frameworks that can be used in this area.
  4. Is the organisation compliant with external standards? Various industries will have different standards they need to comply with, and some standards will have an impact on cyber security. For example, complying with AML/CFT means that far more personal data (driving license, passport details etc) may be stored. This data needs to be secured. And there may be some standards that need to be complied with but have been missed – e.g. PCIDSS if the organisation takes credit/debit card payments.
  5. Has the security of suppliers/partners been considered? Third parties can be given remote access to support systems or data (usually client or staff data) can be passed to them for processing. Has the organisation considered the privacy and security implications, have they set expectations with the third parties, and how are they being monitored?


If you’d like some assistance in this area then please contact


%d bloggers like this: