Companies across all industries continue to face a growing landscape of cyber risks, including vulnerabilities from third-party providers and technology integrations. What separates companies who successfully recover after incidents from those who suffer significant consequences?
Best practices for board oversight of cybersecurity was on the mainstage at Corporate Board Member’s Directors Forum where Amy Rojik, Director of the BDO Center for Corporate Governance, and Vanessa Pegueros, cybersecurity leader and board director, recently engaged in dialogue and led director participants through practical case study analyses. The session highlighted lessons to be learned from notable cybersecurity incidents and provided actionable insights to help organizations prepare for emerging threats, address legacy problems that may impact resilience, and improve tech stack hygiene to safeguard against cyber threats. Throughout the session, five themes persisted as areas boards should address in their technology governance agendas:
1. Poor management of the organization’s technology debt
Technology debt refers to the accumulation of outdated or poorly maintained systems within an organization. This debt can arise from inadequate operational rigor around infrastructure, systems, and applications. This may involve neglecting to update legacy systems, failing to apply necessary patches, or continuing to use systems that have reached end of life. For directors, this presents significant challenges to their oversight role. Companies that do not actively manage their technology debt not only hinder their current capabilities but also jeopardize future opportunities to implement emerging technologies, which slows organizational innovation. Cyber risk is further increased as outdated systems are more susceptible to attacks.
Additionally, compensating controls relied upon to mitigate risk must be continually reassessed for newly discovered vulnerabilities and/or exploitation of user identity and access that can bypass such controls.
However, it’s not only systems and the control environment that contribute to technology debt. Professionals can add to this debt by not being adequately trained or lack technological literacy. Technology debt creates institutional blind spots, limiting the scope and speed of reporting, which obstructs board-level visibility into vulnerabilities.
To oversee technology debt concerns, directors should inquire about adequacy of three main areas: technology, infrastructure, and people and processes.
2. The company’s foundational readiness to implement new technology is not keeping pace with technological change
In today’s dynamic environment, the strength of an organization's data hygiene foundation becomes crucial, requiring a comprehensive inventory of all data assets. Boards are further compelled to consider broader-reaching benefits and risks, including capital allocation, talent management, competitor analysis, and potential disruptions, such as moving to the cloud. All these considerations require heightened technological literacy among board members, including the consideration of a designated cyber or tech expert in addition to continued education for all directors. There no longer exists an area of the business that technology does not impact, which raises the stakes for continued board development for individual directors and the board as a whole; together with a critical review of board structure and composition to best oversee technology. Leveraging advisors and experts in the technology space may be warranted. Increasing capabilities of bad actors and the sophistication of cyber-crimes amplify the potential financial, operational, and reputational damages. Cyber and technology considerations should be included in a robust ERM program. Understanding how AI and GenAI create new threat opportunities is vital, as companies and stakeholders must remain vigilant about their impact on the business. This environment renews the need for principled governance, such as implementing AI use policies with follow-on compliance audits, as well as effective and continuous change management. For example, consider a reliance on technology that becomes a substitute for communications in a manner that creates false confidence in generative AI content or as GenAI-enabled sophistication of phishing attacks make previously sufficient controls designed to detect grammatical errors obsolete.
3. Inadequate or unjustified choices in capital allocation
Most boards know where the company is spending money, but do directors assess where the company is not investing? When boards are reviewing the adequacy of capital allocation to technology infrastructure and cyber protection, directors should consider several critical factors:
- Assess the related talent needs, ensuring a culture of change management, training, development, and workforce realignment.
- Evaluate whether costs related to system upgrades, maintenance, third-party services, education, and continuous monitoring are included in the budget.
- Calculate return on investment (ROI), which should not be viewed as a single number but rather as a range that contemplates the uncertainty of a breach and quantified risk of loss.
- Decide acceptable ROI range for capital initiatives, aligning it with the organization's risk appetite.
- This analysis should include the board’s fiduciary duty to allocate funds proactively to defend against potential threats in relation to the potential cost of a ransomware attack. Ethical considerations also come into play, as paying ransoms that go to bad actors may fund further illegal and immoral activities. Furthermore, paid ransoms are not a guarantee that breached data assets will be fully returned nor a safeguard that further related data incidents won’t occur.
“As a board member, it is just as important to understand what you are not investing in as what you are investing in.” – Vanessa Pegueros, Board of Director
4. Lacking due diligence and/or due care of third-party risk oversight
Mitigating increased cyber vulnerabilities related to third-party risk is indeed challenging, but not an excuse for not taking proactive measures. Boards must adhere to due diligence and due care guidelines to establish comprehensive oversight. A widely publicized breach, where the interconnectedness of an HVAC system was overlooked, underscores the breadth of third-party risk and the numerous considerations required when considering third party risk in supply chain management. It's crucial to recognize that compliance alone does not equate to security. Boards should ensure management evaluates the cybersecurity posture of third parties before entering agreements, include specific cybersecurity requirements, responsibilities and recourse in contracts, and conduct regular risk assessments and audits. Directors should further inquire of management to ensure they have an inventory and understanding of the data that is accessible to vendors. Providing cybersecurity training and awareness programs for third-party vendors, limiting access to certain data and systems, and establishing continuous monitoring systems to detect and respond to suspicious activities are essential steps in risk mitigation. Directors should consider whether employees are incentivized for good technology hygiene including the identification and performance of tasks like data cleanup, for example.
5. Inadequate communication and documentation of board-level cybersecurity oversight roles and responsibilities
While cyber and technology risks are being considered as part of the broader ERM mandate, directors are further challenged by balancing risk management with innovation. As mentioned in BDO’s Audit Committee Priorities for 2025, as boards formalize their oversight response to evolving technology, they should consider director/committee capacity and expertise. Similar to the evolution of sustainability oversight, technology is integrated throughout the corporate environment (e.g., human capital systems, operations, supply chain management, third-party risk, and financial reporting). Collaborative oversight will be essential and may require assignment to one or more board committees depending on the significance and pervasiveness of the risks. Communication and documentation of each board’s unique oversight roles and responsibilities supports successful oversight. Boards should further intentionally meet with CISO, CIO, CTO, etc. individually to understand technology status, strategy and risk.
For further thoughts, BDO has prepared a compilation of critical questions that boards and management should be considering with respect to mitigating cyber security risk for their organizations. Questions contemplate the general to the specific, with concentrations on board structure, company strategy, organizational risk profile, cyber maturity, metrics, cyber incident management and resilience, continuing education, and disclosure. These questions may be useful as a starting point for boards to use in their discussions with and in the oversight of management’s plans for addressing cyber risks. Mitigation of cybersecurity risk does not equate to elimination.
As directors navigate their oversight responsibilities in this area, they need to remain informed and be confident in information provided by management. Enlisting a broader lens to understand the opportunity costs and strategies that contemplate ERM complexities such as digital transformation, movement to the cloud, and threat security and responsiveness. The BDO Center for Corporate Governance endeavors to support directors in engaging in effective governance by providing insights, learning, and networking opportunities in collaboration with BDO subject matter specialists and advisors designed specifically for boards of directors.