Cyber risk practice guide

By Institute of Directors
5 May 2021
read time
14 mins to read
code on a computer screen

Cyber risk is like any other business risk and requires board level attention and responsibility. Since the 2015 edition of the Cyber risk practice guide was published, boards have significantly stepped up their focus on cybersecurity.

The 2021 edition of the Cyber risk practice guide retains five core principles to help boards understand and approach cybersecurity in their organisations. Updates to the guide include privacy law developments and new resources for directors. It also presents questions for directors to ask management around their cybersecurity policies and settings.

Core principles

There are five core principles for boards in their oversight of cyber risks.

  1. Take a holistic approach

    Directors should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

  2. Understand the legal environment

    It is essential that directors understand their legal responsibilities and the implications of cyber risk relevant to their organisation.

  3. Give cybersecurity regular attention on the agenda

    Cybersecurity needs regular and adequate time on the agenda. Boards should also continue to build their cyber competency and ensure they have access to external expertise.

  4. Establish a framework

    Ensure that an enterprise-wide cyber risk management framework is established.

  5. Categorise and address the risks

    Board and management discussion of cyber risks should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

Related content