IoD Rules Review

The formal consultation period has now closed. We will be reviewing feedback on the proposals and aim to provide an overview to members in May.  See IoD Rules review

Cyber risk practice guide

Cybersecurity resilience is crucial for business.

By Institute of Directors
1 Aug 2015
read time
1 min to read
Switchboard cast in orange and blue light

Most business activity has technology implications. The risk of financial, competitive, and reputational damage is high.

Directors are responsible for managing cyber risk. Its management principles are the same as for other areas of risk. Directors must identify the specific risks, determine risk appetite, and act to deal with the risk.

This guide sets out five principles to help boards understand and monitor cyber risk, develop strategies for seeking assurance, and oversee management. It also poses questions for directors to ask management.

Core principles

There are five core principles for boards in their oversight of cyber risks.

  1. Take a holistic approach

    Directors should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

  2. Understand the legislative environment

    Directors should understand the legal implications of cyber risk as they apply to the company’s specific circumstances.

  3. Access expertise and put cybersecurity on the board agenda

    Boards should have adequate access to cybersecurity expertise. Discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.

  4. Establish a framework

    Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework.

  5. Categorise the risks

    Board and management discussion of cyber risks should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

Download the practice guide

The cyber risk practice guide will be updated in 2021. Note that some legislation has changed around cyber-security and privacy reporting since this guide was published in 2015. For more up-to-date guidance see:

Related content