Board-Level Cyber Risk: What Owners and Directors Should Be Asking Their IT Team.

At a board meeting in a Sligo financial services firm in early 2025, the managing director asked their IT provider — who attended the quarterly review — whether the company was protected against ransomware. The IT provider said yes. Eight weeks later, a ransomware attack encrypted the company's systems. The backup had silently failed three months earlier. The endpoint protection licence had lapsed. MFA had never been configured on the remote desktop service.

The managing director had asked the right question. They had not known how to evaluate the answer.

Under NIS2, Irish company directors are personally liable for cyber governance failures. The obligation is not to be a cybersecurity expert. It is to ask the right questions, understand the answers, and ensure that appropriate measures are in place. This guide gives directors the specific questions that reveal the real state of their organisation's security — and what good answers look like.

Why Directors Must Lead This Conversation

NIS2 Article 20 places responsibility for cybersecurity risk management explicitly on management bodies — not IT teams, not IT providers, but the directors and senior managers who govern the organisation. The obligation includes approving cybersecurity measures, overseeing their implementation, and being accountable if that oversight is absent [^1].

This is not a technical obligation. It is a governance obligation. Directors are not expected to configure firewalls. They are expected to ensure that someone is, that the configuration is appropriate, and that there is evidence of this.

The questions below are governance questions. They can be asked by any director, in any board meeting, without technical knowledge.

The Ten Questions Every Director Should Ask

One: Are all our staff accounts protected by multi-factor authentication — and can you show me a report confirming this?

A good answer provides a specific report from the Microsoft 365 admin centre or equivalent, showing MFA status for every account. A vague answer — "yes, we've set that up" — is not sufficient.

Two: When did we last successfully restore data from our backup, and how long did the restore take?

A good answer names a specific date within the past 90 days, describes what was restored, and gives a recovery time. An answer that cannot name a specific test date reveals that the backup has never been tested.

Three: What would happen if we lost access to our systems on Monday morning — how long before we were operational?

A good answer references a documented business continuity plan and a realistic recovery time objective based on tested procedures. An answer that begins with "well, we'd call our IT provider" reveals the absence of a plan.

Four: Have any of our staff email addresses appeared in data breach databases?

A good answer references a credential monitoring service and can provide the most recent check results. An answer of "I don't think so" reveals no monitoring is in place.

Five: What services in our business are currently accessible from the internet, and what authentication protects each one?

A good answer lists specific services — email, remote desktop, VPN, web portals — and the authentication method for each. An answer that cannot enumerate the list reveals inadequate asset management.

Have you asked your IT provider or IT team these questions in writing and received documented answers? If not, the gap between what you believe is in place and what actually is may be significant. Book a free 20-minute strategy call — we help Irish directors ask and evaluate the right questions.

Six: What is our patch status — how old is the oldest unpatched vulnerability in our environment?

A good answer provides a patching report showing compliance by device and application. An answer that cannot provide a specific report reveals no managed patching process.

Seven: Do we have a documented incident response plan, and when was it last tested?

A good answer names the document, confirms who is responsible for leading a response, and identifies the most recent tabletop exercise date. An answer that is uncertain about whether a plan exists reveals a gap.

Eight: What are the security requirements in our IT provider contract, and when did we last review whether they are being met?

A good answer references specific contractual obligations and a recent service review. An answer that reveals no security requirements in the contract identifies a supply chain risk.

Nine: If a significant incident occurred tonight, who would be called and in what order — including our cyber insurer?

A good answer names specific individuals with specific roles, and confirms the cyber insurer's claims number is known and accessible outside of email. A hesitant answer reveals inadequate incident response preparation.

Ten: Have we experienced any security incidents, near-misses, or anomalous events in the past six months?

A good answer provides specific examples — even if minor — demonstrating active monitoring. An answer of "nothing to report" from an organisation with no monitoring capability is not reassuring.

What to Do With the Answers

The answers to these ten questions give a board a clear picture of their organisation's actual security posture versus their assumed posture. Gaps between the two are governance issues that require board-level decisions about investment, provider management, and accountability.

Document the questions, the answers, and the board's decisions in board minutes. This documentation is the evidence that NIS2 Article 20 requires of management oversight. It demonstrates that the board engaged with cybersecurity governance — which is precisely the standard the regulation requires.

A board that has asked these questions, received clear answers, and documented its response to the gaps is in a materially different regulatory and legal position than one that has not. Both may have the same security posture. Only one has exercised the governance oversight that NIS2 requires.

What Next

1. Add cyber risk to the next board or management meeting agenda. Use these ten questions as the framework. Ask them of your IT provider or IT lead. Document the answers.

2. Set a standard for acceptable answers. Vague answers are not acceptable. Each question should produce a specific, verifiable response. If it does not, that is the finding.

3. Commission an independent assessment. A board that wants confidence in its governance position should commission periodic independent assessment of its security posture — not relying solely on the reports of the team responsible for managing that posture.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• NIS2 Director Personal Liability: What Irish Directors Must Know
• Choosing and Managing an External IT and Security Provider: Key Questions and Red Flags
• A Simple Risk Assessment Method for Busy Owners

[^1]: NCSC Ireland — NIS2 Management Body Obligations [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.