Since the adoption of NIS2, which introduces potential personal liability for individual board members, we’ve observed a growing awareness among boards of the need to address cybersecurity more structurally—as a core governance responsibility.
At the same time, many organisations are asking the same fundamental question:
How should we organise for cybersecurity governance at board level?
To help provide guidance, we’re pleased to share the article below, developed within the Cyber Sounding Board at Guberna, which our CEO Alex Driesen has the privilege of chairing.
The article outlines key considerations and practical recommendations for boards looking to strengthen their oversight of cybersecurity—not just to meet regulatory expectations, but to build long-term digital resilience.
Inspired by the INSEAD approach to sustainability governance, adapted to cybersecurity
- Executive Summary
Cybersecurity is a governance issue. Boards are expected to oversee cyber risk as part of their fiduciary duties. Individual directors may face personal liability if they fail to exercise adequate oversight. At the same time, this oversight is not easy. Boards struggle due to a lack of cybersecurity expertise and what has been called the ‘paralysis trap’: the tendency to avoid action in the face of overwhelming technical complexity and rapidly evolving threats. Choosing an adequate governance model can help.
This paper adapts the INSEAD sustainability governance model to cybersecurity by presenting six board-level governance models and six governance-enhancing plug-ins. These tools help boards structure their oversight in line with the company’s risk profile, digital maturity, and regulatory environment.
- Why Cybersecurity Is a Strategic Board Concern
Cybersecurity is no longer a back-office/technical issue—it has become a board imperative. The digitalisation of business models, evolving geopolitical threats, and the professionalisation of cybercrime have increased the scale and complexity of cyber risk. The World Economic Forum ranks cybersecurity among the top global risks. According to IBM, the average cost of a ransomware breach exceeded $4.5 million in 2022. Statista projects that the global cost of cybercrime will reach $10.3 trillion in 2025 and rise to $16 trillion by 2029—figures that approach 15% of projected global GDP ($111.3 trillion in 2024). Meanwhile, the cyber insurance market is tightening: premiums are rising and exclusions—especially for state-sponsored attacks—are becoming more common. As cyber threats grow and insurance protections diminish, boards can no longer afford to treat cybersecurity as purely operational. Individual directors may also face (Cfr NIS2) if they fail to exercise adequate oversight. In this context, the need for structured, strategic cyber governance is clearer than ever.
- Why Structure Matters
Good intentions are not enough—effective cyber governance requires structured decision-making, clear responsibilities, and regular engagement. While no single model fits all boards, selecting the right approach to structuring and supporting oversight can significantly improve risk mitigation, crisis readiness, and board–management collaboration.