Twenty Questions for Directors about Cybersecurity

Cybersecurity is a major area of concern for companies and for their Boards of Directors. So the directors need to look into the policies and procedures around cybersecurity in some depth. Directors generally conduct their work by determining how management is handling the issues, but to do that, they need to know what the issues are. In other words, they need to know what questions to ask. 

Cybersecurity issues revolve around the nature and extent of the underlying risks involved. The questions the Directors must ask address the risks and attempt to determine what safeguards are in place, where the vulnerabilities are in the organization, what assets are at risk, how management is organized to handle a breach, what insurance they have, and other similar questions.

The answers to the Directors’ questions must be complete and supported by concrete evidence.

in 2019, CPA Canada released a short guide to help. It’s titled “Twenty Questions Directors Should Ask About Cybersecurity” and is available at

Something for every Director’s briefcase.

Leave a comment


  • No comments found