In an era where ransomware can cripple entire industries and regulators are cracking down on cybersecurity governance, you’d think board oversight would be table stakes.
Apparently not.
According to EY’s 2024 Cybersecurity Oversight Disclosures, 70% of publicly traded companies now disclose that their Chief Information Security Officer (CISO) or a dedicated cyber leader reports directly to the board—a huge leap from just 9% in 2018.
But that still leaves 30% of public companies silent on this critical point. No disclosure. No stated process. No visibility.
And that silence? It should set off alarms.
Why the Gap?
Let’s not assume these companies are negligent. The issue is often structural—but no less risky.
- 1Lack of Cyber Expertise Most boards were designed for financial and operational oversight—not digital risk. Directors know how to read balance sheets, but when it comes to threat vectors and zero-days? Not so much. When no one knows what to ask, oversight becomes reactive at best.
- 2Overreliance on Management Too many boards default to “the CISO has it handled.” But cybersecurity is enterprise risk, not just IT. And with CISO turnover averaging 18–26 months, this hands-off approach is shortsighted—especially compared to the long tenure of most directors.
- Regulatory Fog Yes, the SEC’s new cyber disclosure rules demand transparency. But with evolving expectations, some boards freeze, waiting for clarity instead of taking initiative. Spoiler alert: regulators aren’t waiting.
- Fear of Disclosure No board wants to admit they’re behind. But failing to disclose oversight is more than a governance flaw—it’s a reputational risk. Investors and regulators are paying attention.
- The Real Red Flag: No Outside Assurance Here’s the kicker: many of these companies are also required to undergo audits or assessments by accredited third parties, such as AICPA-aligned firms or SOC 2 assessors. So if the CISO isn’t reporting to the board and no disclosure is made—who’s watching the perimeter?
What Should Boards Do?
If you’re on a board—or advising one—here’s how to avoid being part of that silent 30%.
1. Build Cyber Literacy
Action: Schedule cyber education sessions and tabletop exercises annually.
2. Mandate Regular Cyber Briefings
Cyber should be a standing agenda item—not an afterthought.
Action: Require quarterly updates from the CISO or head of risk. Ensure the conversation is strategic, not just technical.
3. Establish a Cybersecurity Committee
Just like audit or comp committees, cybersecurity deserves its own space for depth and accountability.
Action: Form a cyber oversight committee or expand the scope of your risk committee with outside expert advisors.
4. Bring in a Third Party — That’s Where Cyber Pulse Comes In
Internal reporting is valuable—but often lacks objectivity.
Action: Use a tool like Cyber Pulse to evaluate your organization’s ability to prevent, detect, and respond to cyber threats. It’s not a checklist—it’s a true health check of your actual security posture.
The Bottom Line
Cybersecurity oversight isn’t optional. It’s a board-level responsibility. And failing to address it isn’t just risky—it’s indefensible.
Don’t be part of the 30%. Be the board that gets cyber risk right—before regulators, investors, or the next breach call you out.
