The Executive Cyber Risk Briefing: What Boards Really Should Be Asking

Why Boards Must Ask the Right Questions

Cybersecurity is a top management matter – that is now consensus. But what does this mean concretely for board and supervisory board work? Many governing bodies rely on reports from their internal IT or security departments: dashboards with technical metrics, traffic light reports, annual penetration test results. The problem: these reports show what internal security sees – not what is actually happening in the external threat landscape.

Effective cyber risk governance begins with the right questions. Not technical questions intended to overwhelm the CISO, but strategic questions that show whether the company is truly prepared.

The Question Catalog for the Board

On External Threat Landscape:

• Do we know whether our company or our suppliers are being traded on the darknet?
• Do we have concrete knowledge of ransomware groups actively attacking companies in our sector?
• How quickly would we learn if a phishing attack is running under our brand name?

On Supply Chain:

• Is our third-party risk assessment based on technical data or questionnaires?
• Do we know which of our suppliers may already be compromised?
• Do we have regular technical reviews for our most critical suppliers?

On Response Capability:

• How long does it take for us to notice an ongoing attack?
• What is our concrete plan in the event of a ransomware attack?
• Do we have the ability to proactively initiate countermeasures – e.g., have phishing sites taken down?

On Documentation and Compliance:

• Can we demonstrate in an emergency that we have taken appropriate security measures?
• Are our NIS2 and, where applicable, DORA obligations fully documented?
• Does our insurer have clear requirements that we can meet and demonstrate?

What Distinguishes Good Answers from Problematic Ones

If answers to these questions are "we'll look into that sometime" or "we have external service providers for that" without concrete evidence, that is a warning signal. Good answers include specific insights, documented processes, and measurable metrics.

The quality of the answers is also an indicator of the actual maturity of the cybersecurity organization – and thus of the liability risk for governing bodies.

Note: This article serves as general guidance and does not replace individual legal or security consulting.