Recently, the Council of Institutional Investors (“CII”) issued a guide to shareholder engagement on cyber risk. The guide is intended to enable shareholders to ask appropriate questions of boards to gauge whether companies are taking proper steps to mitigate cyber risk. The guide poses the following five questions:

  • How are the company’s cyber risks communicated to the board, by whom and with what frequency?
  • Has the board evaluated and approved the company’s cybersecurity strategy?
  • How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
  • How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
  • When did the board last discuss whether the company’s disclosure of cyber risk and cyber incident is consistent with SEC guidance?

CII’s guide demonstrates the ongoing importance of cybersecurity and of boards being knowledgeable in the corporate governance area.