Does the Board have the appropriate information to assess an organisaton’s cyber risk? That is the question that this report helps to answer. We spoke at length with Directors and reviewed sanitised report to uncover what works well and what does not. What we found was striking: most Boards are talking about cybersecurity — but the depth, structure, and quality of those discussions vary wildly. In fact, when asked how well-informed they feel to assess cyber risk, the average score from Directors was just 6.5 out of 10.
So, what are the Boards that scored higher doing differently?
That’s exactly what this report uncovers. It distils the good practices, governance arrangements, and reporting styles that lead to more meaningful cyber oversight. We’ve identified six key content areas every Board calendar should cover — from cyber risk and governance to strategy and current status — and we provide examples and real-world observations to bring them to life. Or something similar, as not every report needs to cover all the areas.
But it’s not just about content — it’s about connection. We look at how often cybersecurity is discussed, who presents the information, how long those discussions last, and whether the Board gets the context they need to make informed decisions. We’ve also included a framework for Board reporting along with practical examples to help Boards and management teams get aligned — and stay aligned.
Bridging the gap between executive management and the board
Ensuring alignment and empowering decisive action on critical risks
This report is for any Director who wants confidence in their oversight. It's also a great source for Executives and Cybersecurity leaderswho provide information to Boards. It is a practical tool to help you evaluate your current reporting, it provides guidance against goodpractice, and helps you shape a fit-for-purpose approach going forward. If your Board wants clearer, more consistent cyber insights —and to be more informed to fulfil its responsibilities — this is the report you’ve been waiting for.
The Project Partners
We also acknowledge the valuable collaboration with the International Centre for Corporate Governance in St. Gallen, Switzerland and the National Centre for Cybersecurity Belgium (CCB), whose support and expertise contributed significantly to the success of this international practice-led initiative. We would like to extend heartfelt thanks to all Directors who have so graciously given us their time and insights that made this report possible.
