Are Boards Getting Cyber Wrong?

A new report finds that most large corporations in the United States assign oversight of cybersecurity risk to the board’s audit committee, which isn’t the craziest governance decision a board can make but does raise questions about whether boards are addressing cybersecurity as wisely as possible.

The report comes from MyLogIQ, a software firm that studies disclosures that public companies make — such as their disclosures in the proxy statement about how the board governs cybersecurity. MyLogIQ crunched the data for 464 firms in the S&P 500, and found that 70 percent of them said in their 2025 proxy statements that they assign cybersecurity to the audit committee. That’s up from 67 percent who said the same in 2023. 

At the same time, the number of firms that assigned cybersecurity to the entire board fell, from 13 percent in 2023 to only 9 percent today; while the number who assigned it to a dedicated technology committee edged upward from 6 percent two years ago to 8 percent today. See Figure 1, below.

In other words, the slow trend is to move cybersecurity risk away from the full board to the audit committee. Is that really wise, when the audit committee already has so much to do monitoring financial reporting and risk management systems? 

Honestly, I don’t know. One can see the argument that audit committees already have their hands full with financial reporting and compliance oversight. At the same time, however, there’s a school of thought that strong internal control over financial reporting is very much entwined with strong access control, and strong access control is at the heart of cybersecurity. So why not assign cybersecurity to the audit committee? 

Well, because strong cybersecurity is about much more than financial reporting, those critics would respond. Strong cybersecurity is also crucial to effective privacy compliance, protection of intellectual property, delivery of goods and services via the cloud, and much more. That is, strong cybersecurity is central to a company’s overall use of technology.  So shouldn’t the board recognize that fact and establish a dedicated technology committee? 

Strategic vs. Tactical Tensions

The governance challenge here is that companies depend on effective use of technology to execute their corporate strategy; and they depend on effective cybersecurity to use their technology. There’s no easy way to disentangle security risk from technology risk, or technology risk from strategic risk; and somehow boards have to juggle all three at once. 

For example, say the CEO wants to expand internationally, using a network of independent sales agents who access your proprietary data via the cloud. That’s a strategic choice to grow the business, so typically it should be evaluated by the full board.

Except, that strategy will only succeed based on your company’s effective use of cloud IT environments; and your effective use of cloud computing will only succeed based upon strong cybersecurity. Those are tactical questions about how well the company can manage its resources, so typically they should be evaluated by a board committee.

Well, which one? Giving all of that to the audit committee seems like a terrible idea, because that committee spends so much time on financial reporting (and rightly so) that it will never give these important IT risk issues the proper attention. 

But if your board doesn’t have a dedicated technology or risk committee of some kind (and many corporations still don’t, especially once you get beyond the S&P 500), there’s really no good home for that important discussion of IT or cybersecurity risk — so the full board exercises oversight of the overall strategy, without necessarily having a full grasp of how well the company can pull it off.  

As a practical matter, chief audit executives do have an opportunity here. Just yesterday we saw a report that cybersecurity is pretty much the top risk for all organizations everywhere. If so, then shouldn’t your board evaluate whether its committee structure properly reflects the risks that the business faces? 

It’s not necessarily the case that every corporate board needs some sort of IT or cybersecurity committee; but most will, especially if you work in technology, banking, healthcare, or data services. At the least, good governance practice would be to review this question every few years and document the board’s decision. CAEs can help to lead that discussion.

Briefing the Board on Cyber

The MyLogIQ report had another interesting statistic: how often management briefs the board about cybersecurity. See Figure 2, below.

The red flag here is that nearly half of the S&P 500 (45 percent) said their boards only receive briefings on cybersecurity on an “irregular or ad hoc” basis. Presumably means the board only hears about cybersecurity when (a) an incident happens that leaves the board screaming for details; or (b) management decides it has something it wants the board to know.

These are the largest of large companies, with sophisticated awareness of cybersecurity risks — and still, 45 percent of their boards only receive irregular briefings on cybersecurity. One can only imagine what the percentage is for smaller organizations with smaller or less robust boards. 

It’s good to see that 31 percent of boards receive briefings every quarter; that suggests a board that “gets it,” that cybersecurity is an intrinsically important oversight duty akin to financial reporting. 

Now we just need that number to go way higher.