Breaching the silence on cyber security: for all the sound and fury, many boards spend surprisingly little time on cyber security. Here are 10 questions directors should be asking management.

• Author: Boehmer, David
• Position: HEIDRICK & STRUGGLES GOVERNANCE LETTER

FOR BOARDS OF DIRECTORS, cyber security is no longer an IT issue but an urgent matter of risk management. The list of risks is long and getting longer: theft of intellectual property, breaches of customer information, denial of service, malicious code, viruses, disclosures of information by disgruntled employees, and more. Meanwhile, yesterday's cyber vandals have been joined by a new generation of online uber-criminals, by other groups working closely with governments intent on stealing trade secrets and passing them on to their nation's critical industries, and by "hactivists" with a political axe to grind. In October 2011 the SEC issued guidance to the effect that cyber attacks should be disclosed if they had material impact on a company's operations or finances or were among the factors that could make an investment risky. In February 2013, an executive order and accompanying presidential policy directive instructed government agencies to work on cyber security issues with private owners of critical infrastructure in the U.S.

Yet for all the sound and fury, many boards spend surprisingly little time on cyber security. According to the Carnegie Mellon Governance of Enterprise Security: CyLab 2012 Report, a survey of senior executives and corporate board members from the Forbes Global 2000 list, "only about one-third of the boards that are engaged with privacy and security issues are focusing on activities that would help protect against reputational or financial losses flowing from data breaches and theft of confidential and proprietary information."

To some degree, the silence in boardrooms is understandable. Cyber security is a technically complex subject; the IT structure is largely opaque to most directors, and many board members judiciously refrain from speaking up on matters they don't understand. But the issue is much more than an IT one--cyber security extends across nearly every action a firm takes.

The 'ask' list

With so much at stake, boards should make sure that the management team is adequately addressing cyber risks, taking steps to mitigate them, and doing so within acceptable boundaries of risk tolerance. Directors can break the silence by asking these 10 initial questions:

* Are we a likely target for cyber attacks? Why and by whom? For any major, publicly traded corporation, the answer is almost always yes. Banks, credit card companies, transaction processors, and retailers are obvious targets, and they know it--many of...