Download This PaperInexpert Supervision: Field Evidence on Boards’ Oversight of Cybersecurity
56 Pages Posted: 11 Jan 2022 Last revised: 31 Jan 2022
Date Written: December 28, 2021
Abstract
We conduct an interview-based field study to investigate how directors provide cybersecurity oversight and the role of expertise in determining its effectiveness. Our interviews suggest that directors’ cybersecurity expertise is an important determinant of oversight effectiveness, primarily through increasing directors’ attention to cybersecurity issues and enabling them to ask incisive questions of management. Moreover, in the absence of board expertise, directors rely heavily on chief information security officers (CISOs) to “coach” them on cybersecurity concepts, third-party validation, and even the process of cybersecurity oversight itself. Thus, a lack of board expertise can result in circular governance between the board and management, whereby the terms of oversight are largely dictated by the supposed subjects of that oversight. Further, our CISO participants believe their peers filter reports to the board to obfuscate potentially damaging information, and that boards lacking cybersecurity expertise are not able to detect such filtering.
Keywords: Corporate governance, boards of directors, board oversight, risk oversight, cybersecurity risk, agency theory, self-efficacy theory, qualitative field study
Suggested Citation: Suggested Citation