Nearly three-quarters of Fortune 100 companies now seek cybersecurity expertise at the board level, marking a dramatic transformation in corporate oversight. EY Americas’ Pat Niemann examines how boards are rising to meet an unprecedented challenge as cyber criminals harness AI and software-as-a-service to launch increasingly sophisticated attacks.
A year after the SEC adopted new disclosure rules for cybersecurity risk management, strategy, governance and incidents, EY research in October 2024 found that many Fortune 100 companies were increasing their voluntary cyber oversight disclosures to give investors more visibility.
But that is just part of the picture. In 2025, boards of directors will see a shifting cyber risk landscape in which cyber threats and attacks are growing in scope, pace and sophistication.
In fact, the FBI’s internet crime report in 2024 revealed a 10% increase in complaints and 22% increase in year-over-year losses. Cyber criminals have honed phishing, social engineering and other tactics to thwart what is typically a company’s first line of defense — its employees. They can now use artificial intelligence (AI) to emulate human voices and video images. If they lack the skills to build the software, they can acquire it on the dark web via software-as-a-service.
Additionally, as organizations rely more on third parties for complex IT environments, the surface area of a potential cyber attack and critical systems disruption has grown. Emerging technologies like generative AI (GenAI) are expected to transform business models but also can have implications for cybersecurity.
Board members need to stay abreast of all possibilities. An EY survey of large global organizations found that board members and executives most often select data privacy and security as their organization’s greatest integrity risks in the coming years. This also points to the need for strengthening cybersecurity infrastructure and operations, a priority boards must monitor.
Elevating cyber response mitigation and oversight
As concerns about cybersecurity continue on a seemingly constant growth trajectory, audit committees most often take the lead on cyber disclosure oversight. Our analysis of 2024 Fortune 100 company disclosures as of May 31 found that board audit committees oversee this reporting at 81% of the companies, up from 20% in 2018.
But cyber concerns are not just the purview of one committee — they are embedded in a variety of discussions, from risk and strategy to talent and supply chain. Given the complexity and frequency with which cyber issues arise and their potential costs, the entire board must be watchful. Board members need to ask the right questions to help guard against weaknesses in the company’s cyber defense and be familiar with how the organization would respond in the event of a cyber attack.
Almost all the companies analyzed (96%) disclosed that management reports to the board and/or committees overseeing cybersecurity matters, and 84% reported that at least one senior member of management — such as the chief information security officer (CISO) or chief information officer (CIO) — provides cybersecurity insights to their board. This happens at least annually or quarterly at more than half of the companies.
Nearly three in four companies also disclosed that they seek cybersecurity expertise on their board. That is more than three times as many as in 2018. About one-third disclosed that at least one board director has served as a CISO, CIO or chief technology officer.
About three in 10 disclosed that the board participates in cybersecurity-related education or training, while 82% reported using education and training to mitigate risk.
Beyond Box-Checking: How EU’s NIS2 and DORA Elevate Security Standards
New regulations put CISOs in the spotlight while demanding stronger third-party oversight
Read moreDetailsBoosting cyber defenses with frameworks, plans and readiness training
In today’s high cyber-risk business environment, being prepared to respond to threats and attacks is critical. The EY research found a marked increase in companies disclosing that they use an external framework or standard to support their cybersecurity efforts (57%, up from 2% in 2018). Nearly half reported using the National Institute of Standards and Technology (NIST) cybersecurity framework; 20% indicated that they use the International Organization for Standardization guidelines.
While the uptake in the adoption of NIST standards and other frameworks is a step in the right direction, my colleague Jaime Kipnes, EY Americas cybersecurity integration leader, says,“Establishing a robust cybersecurity govern function based upon NIST CSF — the latest addition to this framework — will be important for companies to support their cybersecurity risk management strategy, expectations and policy to enable quick, efficient and effective cyber threat responses.”
Boards also should know which external framework their organization uses and why. Does the framework best serve the organization? Would management make the same selection today?
In tandem with gaining that understanding, board members should familiarize themselves with the organization’s cyber crisis response plans. They need to be confident that the plans are complete and relevant.
To get a clear view of organizational readiness, board members should participate in the company’s incident response preparation, whether it uses simulations, tabletop exercises or other readiness tests to see how the organization might perform in the event of an attack. Did the exercises reveal any weaknesses in the crisis response plans? What gaps need to be closed, and how?
The exercises can be eye-opening as they pressure-test the organization and provide an opportunity for participants to develop the muscle memory that becomes particularly useful when a cybercriminal breaches a company’s defenses. Nearly half of the analysis set disclosed using such tests, about 3.5 times as many as the last proxy reporting cycle.
Given what is at stake in the event of a cyber attack and the complexity associated with establishing and assessing cyber defenses, 87% of companies disclosed that they use external advisers. However, just 10% of boards reported engaging an advisor.
Considerations for boards to lead an effective strategy
Board members should be aware of cybersecurity risks and the steps their organization takes to mitigate them, along with the associated challenges and opportunities that new and legacy technologies may present. As cybersecurity is prioritized by boards, it should be included in all conversations. Board members should engage with multiple members of management and external experts to understand what skills are needed and identify where they may be gaps. Engaging in response exercises can give boards a better line of sight to cybersecurity issues, and it is incumbent upon them to establish that lessons learned are reflected in company playbooks.
They also must keep up with regulatory changes in the jurisdictions in which the company does business as they make their cyber disclosures more transparent and more timely. In doing so, boards can play an important role in helping their organization mitigate cyber risk, even as they enhance the trust stakeholders have for the organizations where they have oversight.