An Analysis of Board-Level Cybersecurity Risk Oversight

Key Points:

• Audit First Approach: The majority—almost four in five—of S&P 500 companies oversee cybersecurity risk from the Audit committee.
• Picture Still Fragmented Outside Audit: Fewer than one in ten companies oversee cyber risk from the Risk committee, though among financial services companies this rises to 39%. Fewer than one in 20 oversee cyber risk from the full board level.
• Converging on Audit Committee Oversight: Since 2024, the number of companies overseeing cyber risk from the Audit committee has increased. Fewer companies now formally assign oversight to the full board or a technology/cybersecurity committee.
• Potential Oversight Gap: When cyber oversight sits within the Audit committee, boards may be viewing a fast-moving, highly technical risk through a narrow lens as part of an already-crowded agenda. 

Research Findings:

Zscaler analyzed Securities and Exchange Commission disclosures (primarily 10-K and proxy statement filings) from S&P 500 companies to understand cyber risk oversight at the board level. 

The research highlights how leading public companies on the S&P 500 index are increasingly converging their cyber risk governance around the Audit committee. As of March 1, 2026, 79% oversee cybersecurity risk via the Audit committee. 

Of the remainder, 8% perform oversight of cyber risk from the Risk committee, 6.2% from a technology/cybersecurity committee, and 3.8% from the full board level. A small number of other companies oversee the risk from Safety/Operations, Governance/Nominating or Compliance/Regulatory committees.

The data highlights some shifts since the research was last conducted in February 2024. At that time, 71.2% of the S&P 500 conducted oversight from the Audit committee. The 7.8 percentage point shift in two years supports the trend toward convergence in how the risk is governed. Oversight from the Risk committee remained static at 8%, while oversight by the full board fell by 4.4 points. Oversight from a technology/cybersecurity committee fell from 7.2% to 6.2%.

On a sector basis, the picture varies significantly. Of the 31 real estate companies in the S&P 500, 97% oversee cyber risk from the Audit committee. Over 95% of energy and communications companies treat cyber risk the same. The outliers are companies in the utilities and financial services sectors (52% and 46% respectively). 

Of the 31 utilities companies on the index, eight oversee cyber from a safety/operations committee, four from a technology/cybersecurity committee, two from the Risk committee and one from the full board. For financial services companies, the Risk committee leads oversight in 39% of cases, and technology/cybersecurity committees in a further 11% of cases.

Oversight Observations:

Cyber risk oversight from the Audit committee raises a number of concerns:

1. Audit-first can narrow cyber oversight to compliance and controls

The concern is a governance model where cybersecurity becomes a maturity-scorecard exercise instead of a threat- and impact-informed view of enterprise risk. When cyber risk is housed primarily in the Audit committee, the discussion can naturally gravitate toward what Audit does best: controls, compliance, and assurance. That’s valuable, but it can also tilt oversight toward “Are the right policies, training, and control attestations in place?” rather than “Are we reducing the most material loss scenarios?” 

Cyber risk is fundamentally about operational resilience and business exposure (disruption, third-party dependencies, identity compromise, recovery readiness), and those issues don’t always show up cleanly in traditional control frameworks. 

2. Capacity and agenda crowd-out risk

The concern is that cybersecurity oversight becomes consistently underpowered because it must compete with too many other mission-critical obligations for limited committee time and attention.

Audit committees are already overloaded with standing responsibilities, including financial reporting, internal controls, external auditor oversight, whistleblower matters, and often expanding disclosure expectations. Adding cybersecurity to that agenda can unintentionally compress it into a recurring dashboard update rather than sustained oversight with time for scenario discussion, decision points, and follow-through. Over time, this can create a “checkbox cadence”: cyber appears regularly, but only in a thin slice of meeting time, with limited opportunity to probe assumptions, test management’s preparedness, or explore material tradeoffs. The practical risk is not neglect by intention, but dilution by competing priorities.

3. Potential mismatch between oversight needs and committee expertise

The concern isn’t that Audit can’t own cyber, rather it’s that cyber ownership requires a level of technical and operational skepticism that many Audit committees haven’t historically been built to provide.

Audit committee composition is often optimized for financial literacy and governance rigor, not necessarily for modern security and technology depth. If cyber risk increasingly sits with Audit without an accompanying increase in cyber fluency, the committee may struggle to challenge management on the issues that matter most such as architecture choices and progress toward zero trust, identity and access weaknesses, cloud concentration, third-party dependency risk, detection and response effectiveness, and recovery realism. In that environment, oversight can become overly dependent on management’s framing, or on assurance activities that don’t fully address operational security effectiveness. 

Strategic Red Flag?

Reduced full-board engagement (8.2% in 2024 to 3.8% in 2026) may also be a strategic red flag. A shift away from full-board involvement can signal that cybersecurity is being treated as a specialized compliance topic rather than a core enterprise and strategy risk. That’s problematic because cyber outcomes directly affect growth, customer trust, M&A integration, product velocity, supply chain reliability, and brand resilience—areas that demand full-board attention and alignment on risk appetite. 

Committee oversight of cyber risk also increases the likelihood that full boards spend less time on emerging areas that are quickly becoming inseparable from cyber risk, including agentic AI governance, securing enterprise AI deployments, changes to the cyber threat and risk landscape due to AI, and risks associated with employee use of AI. When the full board isn’t regularly engaged, the organization can miss the “big decisions” layer of governance: what level of disruption is tolerable, what resilience targets are required, what investment tradeoffs are acceptable, and how cyber posture supports the business model. 

Even strong committee oversight can’t substitute for full-board ownership of the most material cyber-risk decisions.

Questions for the Board:

Directors should periodically check whether the way they are overseeing cybersecurity risk on their board is appropriate. The following questions may help:

1. Are we overseeing cybersecurity as an enterprise risk (business impact and resilience), or mainly as a controls/compliance topic? What are the top loss scenarios, critical dependencies, and recovery objectives? How often does the board test those assumptions?

2. Do we have enough time, focus, and meeting structure for meaningful oversight, especially if cyber sits with the Audit Committee? Are we doing periodic deep dives, independent briefings, and incident simulations, or mostly receiving dashboards and status updates?

3. Is the board’s oversight model matched to the risk—clear ownership, the right expertise, and full-board engagement on the biggest decisions? Who owns key areas like third-party concentration, resilience targets, and risk acceptance, and when does the full board weigh in on tradeoffs and investment levels?

Methodology

The research used the most recently published (as of March 1, 2026) 10-K and proxy statements for each of the S&P 500 companies, as well as committee charter documents available on corporate websites, to determine which committee had primary oversight of cybersecurity risk.

Committee names were standardized by mapping each company’s disclosed oversight body to one of a small set of common categories, for example “Audit Committee,” “Risk Committee,” “Technology/Cyber Committee,” or “Full Board”, by consolidating similar titles (such as “Audit & Compliance” or “Risk & Finance”) under the closest primary oversight function. 

If multiple bodies were named, we coded the body described as having primary/lead oversight; when oversight was described as shared without a lead, we coded the committee most directly responsible for cybersecurity oversight based on charter language and recency of disclosure. Where inconsistencies between different disclosures were observed, the most recently-published document was used. 

Many disclosures note that while a particular committee owns oversight of cyber risk, the board retains ultimate oversight. In this case, the named committee is used as the primary home of oversight.

We updated the 2024 dataset using the 2026 categorization rules to enable apples-to-apples comparison; minor differences from the previously published 2024 figures reflect this revision.

Global Industry Classification Standard (GICS) sectors and sub-sectors are used to group companies.