Data Proves Boards Are Failing at Cyber Oversight

Boards love to say they “take cyber seriously.” They add an IT committee, expand the board, schedule an annual cyber briefing, and proudly tell shareholders that the organization is “enhancing cyber oversight.” Yet breaches keep happening, regulatory expectations keep rising, and CISOs keep leaving.

The problem isn’t a lack of structure.
The problem is that structure isn’t translating into substance—and now we have hard data to prove it.

1. What the Research Actually Shows

A 2024 study in Future Business Journal examined listed banks in the MENA region and asked two simple questions:

1. Does cybersecurity disclosure improve bank performance?
2. Do common governance levers—board size, IT committee, and chief risk officer (CRO)—actually strengthen that relationship?

The answers are blunt:

• Cybersecurity disclosure does have a positive and significant impact on bank performance.
• The presence of a CRO strengthens that positive effect.
• Board size and IT committee presence do not significantly improve performance or act as meaningful moderators in this relationship.

In other words: adding more directors or creating an IT committee did not make these banks better at turning cyber transparency into value. But having a CRO did.

The authors found that cybersecurity disclosure in MENA banks increased from 17% in 2019 to 19.6% in 2021, indicating a growing appetite for cyber transparency as digital risk rises (Elsayed, Ismail, & Ahmed, 2024).

This isn’t just a regional quirk. A separate study on Bangladeshi banks showed an increasing trend in voluntary cybersecurity disclosure but no consistently significant relationship between board size and disclosure—while board independence and gender diversity did matter (Mazumder & Hossain, 2023).

Taken together:
Boards are getting bigger and adding committees, but those moves, by themselves, are not delivering better cyber outcomes.

2. Why Boards Think They’re Doing Better Than They Are

Most boards are acting in good faith. They’re reacting to pressure from regulators, investors, and the media. But there are four persistent gaps between how boards see cyber oversight and how it actually works.

a. Cyber is still treated as “IT’s problem”

Even in 2025, many boards still receive cyber as a technical briefing—lists of incidents blocked, tools deployed, or standards aligned to—rather than as a business risk that affects capital, liquidity, and franchise value.

Global policymakers have moved on. The Bank for International Settlements (BIS) classifies cyber risk as a systemic financial-stability issue, not just an operational headache (Crisanto, Pelegrini, & Prenio, 2023). The IMF likewise warns that cyber incidents can act as contagion channels in the financial system (Adelmann et al., 2020).

But many boards still view cyber through the lens of “IT uptime” rather than “systemic exposure.”

b. Oversight ≠ understanding

Adding review of a “cyber dashboard” to the board agenda is not the same as understanding cyber risk.

Research on security awareness shows that telling people more information does not automatically change behavior—they must understand it and be motivated by it (Bada, Sasse, & Nurse, 2019). The same applies to boards: more reports don’t help if directors lack the literacy to interpret what they’re seeing.

c. Committees exist on paper, not in practice

The MENA study found that IT committee presence had no significant impact on the relationship between cyber disclosure and bank performance.

That suggests a common pattern: committees are created to “tick the box,” but:

• meet infrequently,
• lack directors with meaningful cyber expertise, or
• focus primarily on compliance updates instead of challenging management on risk assumptions.

d. Board members rarely have cyber experience

In credit risk, market risk, or audit, most boards contain at least a few seasoned experts.
In cybersecurity, many boards have zero members with real-world experience in security, incident response, or digital resilience.

That doesn’t make boards malicious—just underpowered for the world they’re now governing.

3. What Effective Cyber Oversight Really Looks Like

If board size and committee labels aren’t enough, what does effective oversight look like?

The emerging picture from research and regulatory guidance is consistent:

• Engaged with strategy, not just status.
  Boards that ask how cyber risk shapes digital transformation, cloud dependencies, and fintech partnerships—not just how many alerts were triaged.
• Focused on systemic dependencies.
  BIS emphasizes that cyber regulation is now in a “second generation” where authorities look at system-wide dependencies, critical service providers, and concentration risk (Crisanto et al., 2023). Boards must do the same.
• Scenario-driven, not metric-driven.
  Instead of only reviewing KPIs, effective boards ask:
  “Talk us through a realistic ransomware scenario. What fails? Who’s affected? How long are we down? What’s our plausible loss?”
• Integrated with enterprise risk.
  Cyber isn’t a side topic. It belongs in discussions of capital planning, operational resilience, recovery and resolution planning, and reputational risk.

4. Why Disclosure Matters (And Why Boards Underuse It)

The MENA study’s primary result is simple and powerful:

Banks that disclose more about their cybersecurity posture and practices perform better.

Cybersecurity disclosure had a positive and significant effect on performance (measured by ROA), even after controlling for size and capital adequacy (Elsayed et al., 2024).

And when a CRO is present, that positive relationship becomes stronger.

Why would disclosure correlate with performance?

• Disclosure forces management to formalize what they’re doing.
• It reduces information asymmetry between banks and investors.
• It signals governance quality and risk awareness to markets.

This aligns with broader disclosure theory: transparency tends to reduce perceived risk, which can improve valuation and lower the cost of capital.

Yet many boards still treat cybersecurity disclosure as a compliance burden or reputational liability, rather than a strategic asset.

5. The Real Problem: Boards Don’t Know What to Ask

Most board failures in cyber oversight are not about bad intent.
They’re about bad questions.

Here are six questions that change the conversation in any bank boardroom:

1. What are our top three plausible cyber failure scenarios, and what is the estimated financial and operational impact of each?
2. Which third parties and critical service providers create the greatest systemic exposure if they go down—or are compromised?
3. How quickly can we realistically detect and contain a major incident in each of those scenarios?
4. What key assumptions underlie our resilience plans, and how often do we test those assumptions?
5. Where do we have known security or control gaps that we’re currently living with—and why?
6. Which jurisdictions and regulations (DORA, NYDFS 500, MAS TRM, APRA CPS 234, etc.) are truly shaping our posture, and where are we behind?

A board that asks these questions regularly is already well ahead of the pack.

6. How CISOs Can Improve Board Engagement

CISOs and risk leaders can’t wait for boards to reinvent themselves. There are practical steps security leaders can take now:

• Translate cyber into business impact.
  Express risk in terms of downtime, lost revenue, regulatory penalties, and capital effects—not only CVSS scores or tool performance.
• Drop vanity metrics.
  “Number of blocked attacks” is noise. Focus on metrics tied to risk reduction and resilience: time to detect, time to contain, scenario coverage, dependency mapping.
• Teach regulatory literacy.
  Use concise briefings to explain why regimes like DORA (EU), NYDFS Part 500 (New York), MAS TRM (Singapore), and APRA CPS 234 (Australia) matter—and what non-compliance would cost.
• Build a disclosure roadmap.
  Work with legal, risk, and investor-relations teams to define what your organization will say about cyber posture, governance, and incidents—and why.
• Advocate for governance modernization.
  Push for at least one director with genuine cyber or operational-resilience expertise. Align CRO, CISO, and internal audit roles so that risk information flows cleanly to the board.

7. The Opportunity Hiding in the Failure

The research from MENA, Bangladesh, and global policy bodies paints a coherent picture:

• Cyber risk is now treated as systemic by central banks and international institutions.
• Boards are adding formal structures but not consistently improving real oversight.
• Cybersecurity disclosure, when paired with strong governance (especially an empowered CRO), is associated with better bank performance, not worse.

Boards aren’t failing because they don’t care. They’re failing because governance practices have not kept pace with the complexity, speed, and systemic nature of cyber risk.

For CISOs and risk leaders, this is not just a warning. It’s an opening.

Organizations that upgrade board-level cyber literacy, embrace meaningful disclosure, and treat cyber as a core financial risk will not just be safer—they’ll be more competitive.

Cybersecurity is no longer just a technical specialty.
It is the boardroom skillset of the next decade.

References

Adelmann, F., Elliott, J. A., Ergen, I., Gaidosch, T., Jenkinson, N., Khiaonarong, T., Morozova, A., Schwarz, N., & Wilson, C. (2020). Cyber risk and financial stability: It’s a small world after all (IMF Staff Discussion Note SDN/20/07). International Monetary Fund. https://www.imf.org/en/Publications/Staff-Discussion-Notes/Issues/2020/12/04/Cyber-Risk-and-Financial-Stability-Its-a-Small-World-After-All-48622 (IMF)

Australian Prudential Regulation Authority. (2019). Prudential Standard CPS 234: Information security. https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf (arXiv)

Bada, M., Sasse, A. M., & Nurse, J. R. C. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour? arXiv preprint arXiv:1901.02672. https://arxiv.org/abs/1901.02672 (arXiv)

Crisanto, J. C., Pelegrini, J. U., & Prenio, J. (2023). Banks’ cyber security – A second generation of regulatory approaches (FSI Insights on Policy Implementation No. 50). Bank for International Settlements. https://www.bis.org/fsi/publ/insights50.htm (Bank for International Settlements)

Elsayed, D. H., Ismail, T. H., & Ahmed, E. A. (2024). The impact of cybersecurity disclosure on banks’ performance: The moderating role of corporate governance in the MENA region. Future Business Journal, 10(1), 115. https://doi.org/10.1186/s43093-024-00402-9 (SpringerOpen)

Mazumder, M., & Hossain, D. M. (2023). Voluntary cybersecurity disclosure in the banking industry of Bangladesh: Does board composition matter? Journal of Accounting in Emerging Economies, 13(2), 217–239. https://doi.org/10.1108/JAEE-07-2021-0237 (IDEAS/RePEc)

Monetary Authority of Singapore. (2021). Technology Risk Management Guidelines. https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/TRM-Guidelines-18-January-2021.pdf (ResearchGate)

New York State Department of Financial Services. (2023). Cybersecurity regulation, 23 NYCRR Part 500 (as amended Nov. 1, 2023). https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf (Bank for International Settlements)