Share with your friends

Cyber in the Boardroom

Cyber in the Boardroom

Cyber Security: What does it mean for the Board?


Key Contact


Senior Manager, Advisory

KPMG in the Isle of Man


Also on


Cyber Security risk is an everyday business consideration in the same way that threats in the real world always have been.

Investors, governments and regulators are increasingly challenging board members to actively demonstrate diligence in this area.

Regulators expect personal information to be protected and systems to be resilient to both accidents and deliberate attacks.

Business pressures: why companies should consider reviewing their strategy

  • Pressure to find new customers and compete with existing and newly emerging competitors means many companies are leveraging digital technology and introducing new systems exposing the company to data risks.
  • A mutating threat landscape where an increasing range of highly professional attackers are innovating faster than many businesses can improve their defences.
  • Restoring trust and minimising reputation damage is key for many industries – a data breach could affect trust, reputation and share price.

Potential impact and possible implications for Boards

  • Intellectual property losses including patented and trademarked material, client lists and commercially sensitive data.
  • Penalties, which may be legal or regulatory fines for data privacy breaches and customer and contractual compensation, for delays.
  • Property losses of stock or information leading to delays or failure to deliver.
  • Reputational losses causing your market value to decline; loss of goodwill and confidence by customers and suppliers.
  • Time, lost due to investigating the losses, keeping shareholders advised and supporting regulatory authorities (financial, fiscal and legal).
  • Administrative resource to correct the impact such as restoring client confidence, communications to authorities, replacing property and restoring the organisation business to its previous levels.

Board level awareness

Board level awareness of emerging cyber threats and direct involvement in determining the response is critical. Threat intelligence can help organisations become more proactive, focused and preventative to take control of cyber risk in a unique and positive way. Asking the questions below, can help leaders quickly identify gaps in the current cyber security strategy and encourage an organisation-wide approach to securing the future of their business.

  • How do we move from reacting to anticipating cyber-attacks?
  • How do we put the cyber threats we face into business context?
  • How do we demonstrate the return on investment of our cyber security measures?
  • When was the cyber threat last examined by the Board?
  • Is cyber part of the Board’s strategy discussions?
  • Does our CIO know when to act and are they empowered to do so? Has it been effective?

Boardroom Questions

  1. Who in our organisation is responsible for cyber security issues?
  2. What are our key information assets?
  3. Do we fully understand our current vulnerabilities? 
  4. What is our risk appetite?
  5. Do any of our supply chain partners put us at risk?
  6. Does our organisation meet all of its obligations for information assurance?
  7. Do we meet the information security requirements to bid for government contracts?
  8. What processes do we have in place to deal with cyber threats?
  9. Are our competitors ahead of us? If so, does this give them an advantage?

Questions for Senior Management

  1. What should our response be to cyber-attack?
  2. How effective has our response been to our cyber stress and those of our clients and suppliers?
  3. What do we know about the people/organisations responsible for the attacks and how do they operate?
  4. Are there any patterns regarding cyber-attacks that make our information and assets more vulnerable at certain times?
  5.  Who should we be sharing threat intelligence with and how?
  6. How do we establish an effective Security Operation Centre?
  7. How can we use security as a business enabler?

What actions could the Board consider?

Consider developing a strategy that is more than just security through combining people, privacy, information governance and business resilience. Using KPMG’s cyber in the Boardroom methodology, member firms work with Boards to understand the risks they face and the impact on their strategic plans and day-to-day operations.

KPMG's Cyber Maturity Assessment (CMA) provides an in depth review of an organisation’s ability to protect its information assets and its preparedness against cyber-crime, looking at:

  • Leadership & Governance
  • Human Factors
  • Information Risk Management
  • Business Continuity
  • Operations & Technology
  • Legal & Compliance

© 2021 KPMG LLC, an Isle of Man limited liability company and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal