A Strategic Imparative for Boards

Question: If you were sitting on a Board of Directors and you know that cyber espionage can dramatically disrupt the business and do significant financial harm, what would be your biggest worry and concern about your role as a Board member? 

Answer: In the Face of Cyber threats – Failure to Adequately Oversee Cyber Risk 

Cyber threats are an exponentially growing threat to  enterprise value, operational continuity, share holder value, and regulatory compliance. The 2025 IBM Cost of a Data Breach Report reveals a paradox: while global breach costs fell for the first time in five years—drive by AI-enabled defenses—U.S. breach costs surged to an all-time high of $10.22 million.

This divergence underscores a critical truth: technology alone cannot mitigate risk without strategic oversight. Boards must move beyond passive awareness into active governance.  The rise of AI-driven attacks, shadow AI deployments, and governance gaps now demands a recalibration of fiduciary responsibility. Cyber risk is no longer a technical sidebar—it is a strategic priority that requires strategic fluency and Board Engagement.

In a recent NACD report, they sited that in an ever-changing threat environment, directors acknowledge the need for improvements in key areas, such as the quality of reporting and metrics (47% indicate improvement is very or extremely important), the delineation of specific roles and responsibilities for specific committees (39%), and director access to quality education and outside expertise (38%).

Cyber Knowledge Partners exists to bridge that gap between technical challenges and business realities..

We empower Boards and executives to lead with confidence by translating technical complexity into actionable governance. Our approach aligns cybersecurity with enterprise risk, regulatory obligations, and shareholder value.

The Strategic Risk Landscape

Key findings from IBM’s 2025 report illustrate that the financial and operational stakes are at levels that can be devastating to most organizations.  The top two areas of vulnerability remain Phishing 16%, and Third-party vendor and supply chain compromise 15%. Both are also in the top three factors impacting areas of recovery costs. While less likely at 9%, the most costly attacks come from Malicious insiders.

Boards must ensure that the companies they advise understand their risk profiles in order to make the proper fiduciary and oversight decisions.

The AI Oversight Gap

How does the introduction of AI into the business environment change or impact a company’s vulnerability profile? AI is both a shield and a sword. While AI reduced average breach costs by $1.9M and cut breach lifecycles by 80 days, uncontrolled deployment and lack of understanding of the tools has created new challenges. For example, 97% of all AI-related breaches occurred in systems lacking access controls. Out of the 600 organizations surveyed and studied in the IBM report, 60% did not have  an AI governance policy. The report confirms 1 in 6 breaches involved attacker-deployed AI, primarily through:

 • Phishing (37%) – Generative AI reduced email creation time from 16 hours to 5 minutes
 • Deepfake impersonation (35%) – Accelerating fraud, eroding trust, and creating reputational risk

These tactics exploit human vulnerabilities, making traditional defenses insufficient. Cyber risk now encompasses not just technical compromise, but also psychological manipulation and reputational sabotage. These additional vlunerabilities and adding  another $670K to the overall cost. Having an AI policy in place, that is followed and reviewd on a regular basis, mitigates risk and is an effective way to reduce the risk of having to absorb additional costs.

Oversight vs. Exposure: The Board’s Role 

Boards must pivot from reactive compliance to proactive governance. Strategic imperatives include:

1. Strategic Integration of Cybersecurity

·       Embed cyber risk into enterprise risk management  and approve the cybersecurity budget framework as risk-avoidance ROI and not just as IT
·      Align cybersecurity with financial and operational strategy
·       Ensure direct Board access to cyber leadership and intelligence

2. Governance of AI and Shadow AI

·      Establish strict approval and review processes for AI deployments
* Conduct regular audits of policy adherence
* Invest in AI  governance frameworks and monitoring tool

3. Breach Readiness and Response

·       Develop and test playbooks for AI-driven incidents focus on resilience and customer impact not just response
·       Conduct breach simulations at Board level
·       Monitor detection methods: breaches revealed by attackers cost $5.08M vs. $4.18M when identified internally

Partnering for Resilience: How Cyber Knowledge Partners Helps 

Our Capabilities

·       Board Education & Briefings – Tailored sessions that demystify cyber risk, AI governance, and breach response
*       Oversight Frameworks – Governance models integrating cyber security into enterprise risk and fiduciary oversight
·       AI Risk & Shadow AI Audits – Proactive assessments that uncover unsanctioned use and governance blind spots
·       Executive Communication Support – Messaging that reassures regulators, investors, and stakeholders
·       Crisis Simulation & Playbooks – Realistic scenarios that prepare Boards for AI-driven attacks
·       Thought Leadership & Outreach – Content strategies that amplify your voice and establish market leadership

Conclusion

Cyber  and AI-driven threats are redefining enterprise risk. Oversight is no longer optional—it is a fiduciary imperative. Boards that act decisively can not only mitigate strategic exposure but also position themselves as leaders in cyber governance.

With Cyber Knowledge Partners, Boards gain the clarity, tools, and confidence to govern emerging technologies and meet this challenge head-on.

Cyber Knowledge Partners

www.cyberknowledgepartners.com

1629 K Street

Washington, DC 20006

202.600.7690

 [KM1]Is GAP the right word .. Is it a Challenge ?

Board Involvement is critical otherwise Fiduciary Responsibility is on the line.

Gone are the days of typo-ridden emails from mysterious princes.

Phishing attacks have evolved far beyond poorly written scams. In 2025, cybercriminals are using generative AI, deepfake voice and video, and intelligent chatbots to create highly convincing and targeted social engineering attacks. These threats increase financial, legal, and reputational risks-and raise the stakes for Board oversight.

Board Duties & Best Practices for Cyber Oversight 

Let’s assume all Board members are familiar with their Fiduciary duties, but let’s take a minute to review Fiduciary Duties: Duty of Care & Duty of Loyalt          

Duty of Care requires directors to be informed and act prudently when overseeing the company's cybersecurity risks.

Duty of Loyalty means they must prioritize the company's interests-even if cyber issues aren't their expertise.

Boards and senior management have an important role to play in managing a serious attack.   They must stay informed, build cyber resilience into oversight processes, and assume breaches are not a matter of “if,” but “when.” Fiduciary diligence in the digital age now includes understanding—and actively managing—cyber threats.  AI is a great example of how a new technology can rapidly introduce a significant threat that isn’t just transforming security—it’s arming attackers.  

Boards that fail to oversee cyber risk may face derivative shareholder suits if governance lapses lead to regulatory violations or material losses.  An important step to ensure that strong oversite is in place is to have outside advisors that have a regular cadence with the Cyber Committee or full Board to review risks, new cyber threats that are penetrating the market, and insight into best practices across a broad spectrum of companies

Recent Incidents Underscore the Risk

   •       Coinbase faced a breach involving insider collusion, leading to a $20M ransom demand and estimated remediation costs of up to $400M.

      •       Marks & Spencer experienced a three-week disruption, exposing customer data and wiping £1.3B off its market value despite cyber insurance coverage.  The fact that the company is expected to recoup lost revenue from cyber insurance might feel like reassurance, but what happens to their cyber insurance rates after such a large claim?

      •       Gmail & Retailers - Scattered Spider hackers used deepfakes and spoofed subpoenas to target Google users and major retailers.         

These events highlight the rising frequency and sophistication of attacks, especially those exploiting AI. 

So why is AI-Driven Phishing so Effective?

·           Personalization: AI tailors messages using scraped social profiles

·           Deepfakes: Voice and video mimic real executives

·           Chatbots: Engage employees in real-time

·           Scale: Thousands of unique attacks can be generated in seconds

True Story -  A finance employee wired $500,000 after a Zoom call from a deepfake CFO. The voice, background, and urgency were all AI-generated.

Legal Precedent and Board Accountability

The Delaware Caremark case (1996) established that boards must maintain adequate oversight systems to meet their fiduciary duties. Recent decisions, including Clovis Oncology (2019), have narrowed deference to boards, especially where companies fail to monitor compliance frameworks tied to known risks—like cybersecurity.

·               Caremark (1996): Established that boards must implement and monitor reporting systems to stay informed of compliance risks.

·               Clovis Oncology (2019): Reinforced that boards may be liable when they ignore known risks, such as those governed by law (e.g., data privacy, cybersecurity).

·               SolarWinds Derivative Suit (2023): Alleged that directors failed to provide adequate cyber oversight, setting the stage for further legal scrutiny

The Regulatory & Market Pressures are increasing around the oversight of Cyber threats.

The U.S. SEC now requires public companies to disclose material cyber incidents and describe board oversight.

 Investors and insurers are evaluating cyber governance as part of company value and coverage assessment

Board Responsibilities: A Checklist

Implement a cybersecurity framework.

·      Get regular third-party risk briefings.

·      Understand business-not just technical-impact.

·      Oversee incident response and recovery.

·      Document all governance efforts.

Let's Talk

Bottom Line: Cyber Risk Is a Board-Level Issue.  Cybersecurity is no longer just IT's responsibility. Boards that fail to engage and oversee cyber risks may be viewed as negligent. Proactive oversight is now essential for governance, compliance, and corporate resilience.

Cyber Knowledge Partners offer briefings, workshops, and dashboards that enable Boards to:

·      Understand evolving threats and regulations

·      Implement strong governance models

·      Track key risk metrics with clarity

Our Cyber Governance Advisory practice delivers real-time insight-without technical jargon.

Contact us today to Schedule a meeting to explore how we can help strengthen your cyber oversight.

#cybersecurity #cyberknowledgepartners #