Board Involvement is critical otherwise Fiduciary Responsibility is on the line.

Gone are the days of typo-ridden emails from mysterious princes.

Phishing attacks have evolved far beyond poorly written scams. In 2025, cybercriminals are using generative AI, deepfake voice and video, and intelligent chatbots to create highly convincing and targeted social engineering attacks. These threats increase financial, legal, and reputational risks-and raise the stakes for Board oversight.

Board Duties & Best Practices for Cyber Oversight 

Let’s assume all Board members are familiar with their Fiduciary duties, but let’s take a minute to review Fiduciary Duties: Duty of Care & Duty of Loyalt          

Duty of Care requires directors to be informed and act prudently when overseeing the company's cybersecurity risks.

Duty of Loyalty means they must prioritize the company's interests-even if cyber issues aren't their expertise.

Boards and senior management have an important role to play in managing a serious attack.   They must stay informed, build cyber resilience into oversight processes, and assume breaches are not a matter of “if,” but “when.” Fiduciary diligence in the digital age now includes understanding—and actively managing—cyber threats.  AI is a great example of how a new technology can rapidly introduce a significant threat that isn’t just transforming security—it’s arming attackers.  

Boards that fail to oversee cyber risk may face derivative shareholder suits if governance lapses lead to regulatory violations or material losses.  An important step to ensure that strong oversite is in place is to have outside advisors that have a regular cadence with the Cyber Committee or full Board to review risks, new cyber threats that are penetrating the market, and insight into best practices across a broad spectrum of companies

Recent Incidents Underscore the Risk

   •       Coinbase faced a breach involving insider collusion, leading to a $20M ransom demand and estimated remediation costs of up to $400M.

      •       Marks & Spencer experienced a three-week disruption, exposing customer data and wiping £1.3B off its market value despite cyber insurance coverage.  The fact that the company is expected to recoup lost revenue from cyber insurance might feel like reassurance, but what happens to their cyber insurance rates after such a large claim?

      •       Gmail & Retailers - Scattered Spider hackers used deepfakes and spoofed subpoenas to target Google users and major retailers.         

These events highlight the rising frequency and sophistication of attacks, especially those exploiting AI. 

So why is AI-Driven Phishing so Effective?

·           Personalization: AI tailors messages using scraped social profiles

·           Deepfakes: Voice and video mimic real executives

·           Chatbots: Engage employees in real-time

·           Scale: Thousands of unique attacks can be generated in seconds

True Story -  A finance employee wired $500,000 after a Zoom call from a deepfake CFO. The voice, background, and urgency were all AI-generated.

Legal Precedent and Board Accountability

The Delaware Caremark case (1996) established that boards must maintain adequate oversight systems to meet their fiduciary duties. Recent decisions, including Clovis Oncology (2019), have narrowed deference to boards, especially where companies fail to monitor compliance frameworks tied to known risks—like cybersecurity.

·               Caremark (1996): Established that boards must implement and monitor reporting systems to stay informed of compliance risks.

·               Clovis Oncology (2019): Reinforced that boards may be liable when they ignore known risks, such as those governed by law (e.g., data privacy, cybersecurity).

·               SolarWinds Derivative Suit (2023): Alleged that directors failed to provide adequate cyber oversight, setting the stage for further legal scrutiny

The Regulatory & Market Pressures are increasing around the oversight of Cyber threats.

The U.S. SEC now requires public companies to disclose material cyber incidents and describe board oversight.

 Investors and insurers are evaluating cyber governance as part of company value and coverage assessment

Board Responsibilities: A Checklist

Implement a cybersecurity framework.

·      Get regular third-party risk briefings.

·      Understand business-not just technical-impact.

·      Oversee incident response and recovery.

·      Document all governance efforts.

Let's Talk

Bottom Line: Cyber Risk Is a Board-Level Issue.  Cybersecurity is no longer just IT's responsibility. Boards that fail to engage and oversee cyber risks may be viewed as negligent. Proactive oversight is now essential for governance, compliance, and corporate resilience.

Cyber Knowledge Partners offer briefings, workshops, and dashboards that enable Boards to:

·      Understand evolving threats and regulations

·      Implement strong governance models

·      Track key risk metrics with clarity

Our Cyber Governance Advisory practice delivers real-time insight-without technical jargon.

Contact us today to Schedule a meeting to explore how we can help strengthen your cyber oversight.

#cybersecurity #cyberknowledgepartners #