Good Cyber Risk Governance for Senior Management

October 13, 2023

The International Bar Association recently published a cyber governance playbook – “Global perspectives on protecting against cyber risks: best governance practices for senior executives and boards of directors”. The playbook contains a trove of practical tips that almost any company could benefit from. We’ve summarized some of the key recommendations for you:  

Cyber Risk: Good Governance Practices for Senior Executives 

Get Your Cybersecurity Priorities Straight  

Your company should work out what its most important information, technologies, business processes, and people are before allocating resources. It’s critical that you know and understand what assets you have and that you prioritize protecting the most important ones. You should also give appropriate thought to less important assets that have a higher risk profile and see what you can do to reduce that risk, if necessary.  

Conduct Annual Cybersecurity Training & Regular Phishing Tests 

All employees and contractors should engage in annual cybersecurity training.  

You should also arrange for regular phishing test emails to be sent to your workforce (at different times and ideally containing different content) to test their ability to spot risky emails and handle them appropriately. Don’t expect perfection. Instead, educate your workforce about your company’s risk appetite, so they can make informed decisions about risky behavior and learn how and when to take acceptable cybersecurity risks. This approach may counteract the view that risks are insignificant while also reducing the fear associated with reporting policy violations.  

Periodically Review Statistical Reports About ‘Lower Level’ Incidents 

Your company would benefit from tracking all cyber incidents and threats, even if there are certain types not deemed significant enough to report to management. These statistics can help you identify emerging threats, re-evaluate your priorities, and tailor your training, amongst other things.  

Plan For & Practice Your Cybersecurity Incident Responses 

Your company’s response to a cybersecurity incident rests with senior management. It’s essential that your leadership has:  

  • Devised and documented a full crisis response plan;  
  • Identified roles and responsibilities for all individuals and teams that will need to contribute in the event of a cyber incident;  
  • Shared the plan with the relevant individuals and teams; and 
  • Rehearsed the plan.  

These plans should include (amongst other things): 

  • Requirements for providing notice to regulators and any other relevant bodies;  
  • Crisis communication outlines; and  
  • Guidelines for handling third-party security incidents.  

Plan for Increased Cyber Compliance at the Senior Management Level 

We’ve seen increased cyber-risk compliance obligations come into effect in Hong Kong, Australia, and the UK. The EU’s Digital Operational Resilience Act, which requires senior management in financial entities to identify and assess cyber risks, comes into effect in 2025.  

As with all global trends, we wouldn’t be surprised to see similar requirements introduced in the US. Companies should consider the impact of increased pressure placed on senior management to plan for and manage organizational cyber resilience. From there, evaluate the impact of added compliance and create a roadmap towards it. 

If your company needs help managing cyber risk, reach out. Our privacy attorneys would love to work with you.  


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you