Skip to main content
Contact Us
Search
Weaver Connect
Payment Portal Client Login Weaver Alumni
Home    /    Insights & Resources

Shaping the Boardroom Agenda: Critical Questions on Risk, Cybersecurity, AI and Strategy

Executive Resource
Drive stronger board discussions at organizations with key questions on cyber risk, AI oversight, crisis planning, M&A outlook and tax law changes.
July 21, 2025
Executive Resource
Alyssa G. Martin
Alyssa G. Martin
National Strategy Leader
Bruce Zaret
Bruce Zaret
Of Counsel, Risk Advisory Services
Greg Englert
Greg Englert
Partner, Risk Advisory Services
Phil Ilgenstein
Phil Ilgenstein
Partner, Audit - PCAOB
Julie Burkenstock
Julie Burkenstock
Partner, Audit - PCAOB

Related

Never miss a thing.

Sign up to receive our insights newsletter.

Subscribe

As we reach the midpoint of 2025 and move into third quarter, boards face rising complexities, driven by geopolitical tension, changes in tax laws and ongoing economic uncertainty. Trending risk areas include energy security, supply chains, crisis management, cyber security, artificial intelligence (AI) governance, stronger corporate oversight and the passage of the One Big Beautiful Bill Act.

Our team at Weaver has developed the key topics to ensure board agendas address the latest in corporate strategy, emerging risk and governance developments.

Has the board reviewed how management is preparing for catastrophic or black swan events?

Unexpected disruptions — from bridge collapses to cyberattacks — can bring operations to a halt and damage reputation. Boards should ensure companies have developed mitigation strategies and tested response plans for infrequent but high-impact scenarios. Assessing which events could disrupt operations along with the potential impact of such events is a vital part of enterprise-wide risk management.

Boards should engage management to assess whether business continuity and impact analyses are in place and ready to guide effective response to unforeseen events. Key questions boards should be asking include:

A. Risk scenario assessment:

  • What catastrophic scenarios has management modeled, and how were these selected based on risk exposure and potential impact?
  • What did the scenario analysis reveal about operational vulnerabilities and how have those findings been incorporated into response planning?
  • How often are catastrophic scenarios updated and tested, and does the analysis include cross-functional coordination and external dependencies (e.g., suppliers, infrastructure, regulators, communications)?

B. Business continuity analysis:

  • Has management developed and tested a comprehensive business continuity plan that addresses critical operations and recovery timelines?
  • What assumptions underlie the continuity strategy, and how have they been validated through scenario planning or real-world disruptions?
  • How is business continuity integrated into broader risk management and crisis response frameworks?

C. Business impact analysis (BIA):

  • Does the BIA evaluate how each event could disrupt strategy, operations, finances, IT infrastructure, customer trust, reputation and compliance?
  • Does the BIA evaluate the estimated recovery time of the events?
  • How frequently is the BIA updated, and has it been tested against recent scenarios such as cyberattacks, infrastructure failures or supply chain disruptions?
  • Does the assessment evaluate the interdependence on third-party service providers?

D. Key risk indicators:

  • Are risk indicators being monitored, such as unusual data patterns, vendor alerts, regulatory alerts, trade organization trends and/or geopolitical signals to identify certain trends where elevated risk levels are present?

E. Incident response plans:

  • Do incident response plans include immediate actions to be taken with individuals identified that should perform the tasks?
  • Do incident response plans identify personnel that will lead the coordination effort and which communication methods should be used?
  • Do communication protocols include clear escalation procedures and a chain of command?
  • Do incident response plans include how operations will be sustained, including backup and redundant systems?

F. Governance:

  • Are incident response and catastrophic event plans documented with assumptions?
  • Are incident response plans tested to identify vulnerabilities?
  • Do the vulnerabilities indicate the need to charter a catastrophic risk event committee or similar function?
  • Is there a catastrophic response team with backup personnel?
  • Does the catastrophic response team meet at least semiannually for training and updates?
  • Are changes made to incident response plans documented and discussed with the crises management team?
  • Are incident response plan updates provided to the board as part of the enterprise risk management process?

What should boards know about cybersecurity frameworks and how AI is governed?

A cybersecurity framework serves as the foundation to protect data, systems, operations and reputation from emerging threats. Cybersecurity frameworks can follow established standards or evolve from a company’s own criteria. Whatever is used, the framework should include, at a minimum, the key components of risk assessment, identity and access management controls, incident response, system resilience and continuous monitoring. Below are questions boards should be asking about cybersecurity frameworks and AI:

Cybersecurity framework oversight

  • Cyber risk assessment:
    • Is there a comprehensive cyber risk assessment conducted at least annually and incorporated into the company’s strategy?
    • Does the cyber risk assessment evaluate the in-house resources (talent & tools) needed and whether third-party resources are necessary in fulfilling existing operating requirements?
  • Frameworks: Does the company use one or a combination of the following established frameworks as part of its cybersecurity strategy?
    • National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF): Provides a common language for cybersecurity risk management and focuses on six core functions: Govern, Identity, Protect, Detect, Respond and Recover
    • International Organization for Standardization (ISO 27001): An internationally recognized standard for information security management systems (ISMS), requiring organizations to establish, implement and maintain a documented ISMS for a specific control environment
    • Center for Internet Security (CIS) Critical Security Controls: A prioritized list of 18 cybersecurity controls and supplemental safeguards designed to help instill basic cyber hygiene to protect data and systems from common cyber threats
    • Payment Card Industry Data Security Standard (PCI DSS): A set of security requirements designed to protect payment card data that is commonly regulated for organizations that store, process or transmit credit card information
    • Health Information Trust Alliance (HITRUST): A not-for-profit organization that developed the HITRUST Common Security Framework (CSF), a security framework designed to help organizations manage information risk and protect sensitive data, particularly in the health care industry

Data governance: Effective data governance ensures that data is accurate, secure and used responsibly across the organization. Boards should oversee whether the company has a robust data governance framework that supports strategic decision-making, regulatory compliance and risk mitigation.

  • Data inventory
    • Has the organization developed and maintained a comprehensive data inventory that identifies what data is collected, where it resides, how it flows across systems and who has access to it?
    • Is the inventory regularly updated to reflect changes in data sources, systems and business processes?
  • Data ownership and accountability
    • Is there a clearly defined data governance structure that assigns ownership and accountability for data across business units?
    • Are data stewards or data governance committees in place to oversee data quality and compliance?
    • Note: Sometimes, this simply takes the form of a Responsible, Accountable, Consulted and Informed (RACI) chart before evolving into a fully managed data governance program.
  • Data classification and lifecycle management
    • Does the organization classify data based on sensitivity and criticality (e.g., public, internal, confidential, restricted)?
    • Are there policies for data retention, archival and secure disposal aligned with legal and regulatory requirements?
  • Data quality and integrity
    • Are there processes to ensure data accuracy, completeness and consistency across systems?
    • Is data quality monitored regularly, and are there remediation protocols for addressing data issues?
  • Privacy and regulatory compliance
    • Does the company comply with applicable data privacy laws and regulations (e.g., the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and Health Insurance Portability and Accountability Act (HIPAA))?
    • Are privacy impact assessments conducted for new projects or technologies that process personal data?
  • Nth party (third party and fourth party) data risk management
    • Are vendors and service providers evaluated for their data handling practices?
    • Is there a process for ensuring that data shared with or accessed by third and fourth parties is protected and used appropriately?

AI Oversight: As companies adopt AI new risks are emerging, such as data privacy concerns, algorithmic bias and increased cyber threats. Boards should be asking the following questions to ensure the cybersecurity framework addresses both existing and emerging AI risks:

  • Does the organization have an acceptable use policy that addresses AI?
  • Is there an inventory of both approved and utilized AI solutions?
  • Are AI tools aligned with enterprise risk management (ERM) and the cyber risk strategy?
  • Have key roles been evaluated for skills that AI cannot replace?
  • Are AI policies and ethical frameworks in place to address potential bias?
  • Are monitoring protocols established to ensure regulatory compliance and transparency?
  • Is AI governance overseen by the board or a technology committee?

What are directors’ key responsibilities and what insurance coverage should they have?

Directors function in a fiduciary capacity and have a legal and ethical obligation to act in the best interests of stakeholders — employees, customers, shareholders and the community. Below are key questions to consider when fulfilling board responsibilities and understanding what insurance coverage may be adequate for board members:

A. Areas of board responsibility:

  • Strategic direction: Does the board help executives clarify its mission, vision and goals?
  • Management oversight: Is the board effectively evaluating the CEO and ensuring succession plans are in place?
  • Risk oversight: Are executives managing enterprise risks and revising strategy as necessary?
  • Financial integrity: Are internal controls in place and working effectively, and is management addressing identified control weaknesses timely?
  • Monitoring performance: Is the board monitoring performance against strategic and financial goals?
  • Upholding stakeholder interests: Is the board upholding its fiduciary duty by ensuring compliance with laws and company policies?
  • Corporate governance: Does the board promote strong governance through ethical practices, including: (1) a code of conduct, (2) conflict and whistleblower policies, (3) board charters and (4) appropriate board composition?

B. Insurance Coverage for Directors: Having the right director insurance coverage is essential in the board role. The types and amounts of coverage can vary based on factors like the industry, size of the organization and level of risk exposure. Below are questions boards can ask to evaluate the types and limits of coverage:

  • Types of coverage for directors:
    • What type of personal coverage best protects directors when the organization has an insolvency or there are conflicts of interest?
    • What types and amounts of fiduciary, cyber and general liability coverage should be in place for adequate protection?
    • What types of coverage should directors have when the company is public vs private?
  • Coverage Limits: While coverage limits can vary depending on multiple underwriting considerations, what limits should be expected as a director?
    • Public companies: Limits from $10 million to over $100 million due to increased risk of shareholder lawsuits and regulatory scrutiny.
    • Private companies: Limits of $1-$10 million depending on factors like revenue, assets and industry.
    • Not-for-profit organizations: Limits often start with $1 million in coverage and increase based on the organization’s size, activities and potential risks.
    • General rule of thumb: Some experts suggest securing coverage equal to 1% of the organization’s assets or annual revenue (whichever is greater), with a minimum of $1 million.

What are the current merger and acquisition (M&A) and initial public offering (IPO) trends for the remainder of 2025 and into 2026?

Slowed momentum:

  • The initial optimism for strong 2025 Capex, M&A and IPO activity pre-election has been impacted by global economic uncertainty and policy shifts. Influencing factors include trade tariffs, tax legislation and geopolitical activity.
  • Companies seem to be adopting a wait-and-see approach, leading to delayed or withdrawn deals. Technology (with AI leading the charge) is the exception, as this sector has seen an increase in Capex during 2025.

Outlook:

  • While factors like substantial sidelined private equity and anticipated lower interest rates are on the horizon, this could potentially boost Capex, M&A and IPO activity in the latter half of 2025 and into 2026.
  • We expect technology to continue to be a driving force in areas like AI-powered innovations, cloud infrastructure and cybersecurity.
  • Boards should watch trending sectors like health care and financial services that are likely to see consolidation if interest rates, tariffs and other influencing factors stabilize to lower the uncertainty.

How will the recent tax reconciliation bill, known as the One Big Beautiful Bill Act (OBBBA) impact the company’s cash tax obligations?

The OBBBA was signed into law on July 4, 2025. Below are highlights of the bill’s impact on businesses. Our Weaver tax team is hosting a One Big Beautiful Bill Act webinar series about the bill that can be attended live and will be available for replay. Below are highlights of provisions that will impact cash tax obligations in the near term:

  • C corporation income tax rate: The bill maintains the 21% corporate income rate.
  • Bonus depreciation: The bill permanently increases first-year bonus depreciation to 100% for qualified tangible property placed in service after January 19, 2025.
  • R&D expensing: Current research and development (R&D) expenditures are subject to capitalization with a five-year amortization period. The bill permits immediate deduction of U.S. domestic R&D incurred after December 31, 2024 and is made permanent going forward. The bill permits a retroactive catch-up deduction for R&D costs capitalized in the 2022-2024 tax years for all taxpayers. Taxpayers with average annual gross receipts of less than $31 million are eligible to retroactively expense R&D via amendment of 2022-2024 returns. Foreign R&D must still be capitalized and amortized over 15 years.
  • Increased Section 179 deduction: Section 179 allows businesses to immediately deduct the full purchase price of qualifying equipment and vehicles in the year they are placed in service. The bill raises the threshold from $1.25 million to $2.5 million, with full phase out at $4 million, indexed for inflation, boosting small business investment capacity.
  • Interest deduction limitation (Section 163(j)): The bill permanently changes the calculation base going to a 30% limitation on a company’s earnings before interest, taxes, depreciation and amortization (EBITDA) from a more restrictive earnings before interest and taxes (EBIT) base. This will increase the amount of deductible interest. The change is effective for tax years beginning after December 31, 2024.
  • State and local taxes (SALT): The bill permits that C corporations can still deduct the full amount of state and local taxes paid with no federal limit. The bill does not restrict state level pass-through entity taxes (PTET) for S corporations or partnerships. This means that owners can still bypass the SALT cap using PTET elections. The bill increases SALT deductions for individuals from $10,000 to $40,000 with certain income limitations.
  • International tax implications: There are a series of significant changes around the current global intangible low-taxed income (GILTI), base erosion and anti-abuse tax (BEAT), and foreign-derived intangible income (FDII) international tax regimes. These changes are substantial and complex and could have a significant impact on current cash tax obligations.

Weaver offers information and insights to help you ask the right questions and determine appropriate plans of action based on topics and trends as they unfold. Subscribe to our monthly insights for articles and information to help you review your organization’s operations and prepare for change in an uncertain world. Contact us for information about these areas of Board governance and taxation.

©2025