Cybersecurity as Board Responsibility

Decisions That Limit Damage

Cybersecurity is not a technical side issue here, but part of continuity, liability and reputation.

For Cybersecurity as Board Responsibility governance only works with measurable objectives, clear escalation paths and timely decisions.

This way the subject stops being a recurring discussion and becomes a manageable part of regular business operations.

Immediate measures (15 minutes)

• Assign ownership, decision lines and escalation paths for this topic.
• Translate measures into KPIs/KRIs and board-level reporting.
• Schedule periodic review with a clear deadline and responsible owner.

Why this matters

The core of Cybersecurity as Board Responsibility is risk reduction in practice. Technical context supports the choice of measures, but implementation and embedding are central.

From IT problem to business risk

There was a time when cybersecurity was a matter for the system administrator. They installed the firewall, ran the updates, and if something went wrong you called them. That time is over.

Cybersecurity has become a business risk, comparable to financial risk, legal risk or reputational risk. And just as you as a board member do not say "finance, the accountant will handle that" or "legal, we have a lawyer for that", you can no longer throw cybersecurity over the fence to IT.

Why not? Because the impact of a cyber incident is not confined to the server room. A ransomware attack brings your entire business operations to a halt. A data breach damages the trust of your clients. A breach at a supplier affects your production chain. These are business problems that require a business-oriented approach.

In June 2017 the shipping company Maersk was infected with the NotPetya malware. Within seven minutes 49,000 laptops, 3,500 servers and the entire network were unreachable. The company had to operate manually for ten days – shipping routes were tracked on paper, container terminals worked with improvised systems. The estimated damage: 300 million dollars. The CEO later called it a wake-up call for the entire board.

Key point: Cybersecurity is not a technical topic that you can delegate. It is a board responsibility, just like financial management and risk management.

Where it went wrong: lessons from practice

The most valuable lessons come from organisations where things went wrong. Not because those organisations were incompetent – they often had large IT budgets and talented teams – but because the board layer failed in its supervisory role.

Incident	What happened	Where the board failed
Equifax (2017)	Personal data of 147 million people stolen via unpatched vulnerability	CISO did not report to the board; no board-level oversight of patch management
Maersk (2017)	NotPetya took down the entire network; 300 million dollars in damage	No tested disaster recovery plans; cybersecurity was not on the board agenda
SolarWinds (2020)	Supply chain attack affected 18,000 organisations including government agencies	Boards blindly trusted suppliers without due diligence on their security
Colonial Pipeline (2021)	Ransomware shut down the largest fuel pipeline in the US	No segmentation between IT and operational systems; board had no visibility into the dependencies
Maastricht University (2019)	Ransomware encrypted virtually all systems; 197,000 euros in ransom paid	Known vulnerabilities had not been patched for months; insufficient board oversight of basic measures

The pattern is always the same: the board did not know what it did not know. There was no structural reporting on cybersecurity. There were no clear responsibilities. And when things went wrong, there was no plan.

The three pillars: people, processes, technology

Board members tend to reduce cybersecurity to technology. More firewalls, better software, more expensive tools. But technology alone is not enough. Effective cybersecurity rests on three pillars, and as a board member you must oversee all three.

People

People are both the strongest and the weakest link. An employee who recognises and reports a phishing email is more valuable than any firewall. But an employee who clicks on the wrong link can undo all technical measures in one stroke.

What the board must arrange: - Budget for structural security awareness training (not an annual PowerPoint) - A culture in which reporting is rewarded and not punished - Sufficient qualified security personnel, or a reliable partner that provides this

Processes

Technology without processes is like a fire alarm without an evacuation plan. You need procedures for incident response, for managing access rights, for evaluating suppliers, for installing updates.

What the board must arrange: - An incident response plan that is regularly practised - Clear responsibilities: who decides what during an incident? - Periodic risk analyses that actually lead to action

Technology

The technical measures are the foundation. But the board does not need to know how a firewall works. The board must know whether the right technical measures have been taken, whether they are up to date, and whether they are being tested.

What the board must arrange: - A clear picture of the critical systems and their security - Budget for maintaining and testing technical measures - Independent verification (penetration tests, audits) of the technical state

What board members think vs. what the reality is

One of the biggest risks is the gap between what board members assume about their cybersecurity and what is actually happening. Below are the most common assumptions and the reality behind them.

What board members often think	What the reality is
"We are too small to be a target."	Attackers scan automatically. Size does not matter; vulnerability does. SMEs are actually hit more often because they are less well protected.
"We have a good firewall, so we are safe."	A firewall protects the perimeter. Most attacks come in via email, credentials or suppliers – straight through the firewall.
"Cybersecurity is IT's responsibility."	IT implements measures. The board is responsible for risk management and making resources available. NIS2 holds board members personally liable.
"We have cyber insurance, so the risk is covered."	Insurers are imposing ever stricter requirements. Without basic measures they will not pay out. And reputational damage is not insurable.
"Our IT supplier manages security."	Unless it is contractually established and you verify it, this is an assumption. Maastricht University thought it was taken care of too.
"We are compliant, so we are safe."	Compliance is the minimum. It means you meet the legal requirements, not that you are resilient to a targeted attack.
"A data breach won't happen to us."	On average it takes 204 days before an organisation discovers a breach. It may have already happened without your knowledge.

Ask yourself: how many of these assumptions do you recognise in your own organisation? Each one is a blind spot that deserves attention.

The five questions every board must ask

You do not need to be a technical expert as a board member. But you must ask the right questions. These five questions give you insight into the cybersecurity maturity of your organisation.

1. What are our crown jewels and how are they protected? Every organisation has systems and data that are essential to its survival. Customer data, intellectual property, financial systems, production systems. Do you know which ones those are? And do you know how they are protected?

2. How quickly can we recover if things go wrong? Not if things go wrong, but when. How long can your organisation function without its most important systems? Is there a disaster recovery plan? Has it been tested? What is the maximum acceptable downtime?

3. How do we keep our security up to date? Threats are constantly changing. A security approach from two years ago may be outdated. Are systems patched regularly? Are new threats being monitored? Is there a process for updating measures?

4. Who is responsible and to whom do they report? Is there a CISO or equivalent role? Does that person report directly to the board, or is there a long chain of intermediary layers? How often does the board receive an update on the state of security?

5. Have we been independently verified? Trust is good, oversight is better. When was the last independent penetration test or audit conducted? What were the findings? Have they been resolved?

Do this this month

Use this checklist as a starting point to assess whether cybersecurity is sufficiently embedded in your governance. This is not a technical checklist – it is a governance checklist.

• Cybersecurity is on the board agenda at least quarterly
• There is a named person responsible for cybersecurity (CISO or equivalent) with access to the board
• There is an up-to-date overview of the organisation's critical systems and data
• A risk analysis has been conducted that is no more than twelve months old
• There is an incident response plan that is practised at least annually
• There is a disaster recovery plan with defined and tested recovery times
• A cybersecurity budget has been reserved that is proportionate to the risk profile
• Employees receive regular security awareness training
• There are contractual agreements with suppliers on security and incident reporting
• An independent security assessment (pentest or audit) has been conducted in the past twelve months
• The board is aware of the legal obligations (NIS2, GDPR) and the potential personal liability
• Cyber insurance has been taken out and the board knows what requirements the insurer sets

Tip: run through this checklist with your CISO or IT manager. Every point on which you do not get a clear answer is a risk that deserves attention. No panic – just action.

NIS2: personal liability is not a theoretical risk

Since the introduction of NIS2 in October 2024, board members of organisations in essential and important sectors are personally liable for compliance with cybersecurity obligations. This is not an abstract legal concept. It means that a board member who demonstrably failed in their oversight of cybersecurity can be personally fined or held liable.

Fines under NIS2 can reach up to 10 million euros or 2% of global annual turnover for essentially classified organisations. Board members are also required to complete cybersecurity training and build sufficient knowledge to assess risks.

This is not intended to frighten board members. It is intended to give cybersecurity the board-level attention it deserves. And frankly: if you only act as a board member because you are personally liable, you were already too late to start. More about the legal consequences can be found in the chapter on director liability.

Where to start

If cybersecurity has not been on your board agenda until now, start here:

1. Schedule a conversation with your CISO or IT manager. Ask the five questions from this chapter. Listen. Ask follow-up questions.
2. Commission a baseline assessment. An independent party that maps the current state of your security. Not a sales pitch, but an honest picture.
3. Put cybersecurity on the board agenda. Not once, but structurally. A quarterly update with concrete metrics and risks.
4. Invest in people. Not only in technology. Security awareness training for all employees and sufficient capacity in the security team.
5. Practise the worst case. Organise a tabletop exercise in which you simulate your organisation being hit by ransomware. Who calls whom? Who decides what? How do you communicate to clients and the media?

Cybersecurity is not a project you complete. It is a continuous process of improving, testing and adjusting. And the role of the board in that is not to know the technical details, but to ask the right questions, appoint the right people, and make the right resources available. Make sure you have sufficient visibility into what is happening in your network – without logging and monitoring attacks remain invisible.

That is not an IT problem. That is leadership.

Now that you know what responsibility the board bears, the next step is setting up a structured risk management process. In the next chapter, Risk Management and Risk Analysis, you will learn how to identify, prioritise and translate risks into concrete measures.

← Previous Overview Next → Risk Management and Risk Analysis