When it comes to cyber security, what are the most important things that board members need to be able to understand to effectively oversee cyber risk management?

I like to tell them the 10 questions they should ask me according to the National Association of Corporate Directors (NACD):
1. How will we know we have been kacked or breached ? What makes us certain, or how will we find out ?
2. What are best pratiques for Cybersecurity, and where do our pratice differ ?
3. In Management's opinion, what is the biggest weakness in our IT systems ? IF we wanted to deal the most damage to the compagny, how would we go about it ?
4. Does our external auditor indicate we have deficencies in IT ? If So, where ?
5. Where do management and our IT team disagree on CyberSecurity ?
6. Were we told of cyberattacks that already occurred and how severe they were? For significant breaches, is the communication adequate as information is obtained regarding the nature and type of breach, the data impacted, and potential implications to the company and the response plan?
7. What part of our IT infrastructure can contribute to a significant deficiency or material weakness?
8. What do we consider our most valuable assets? How does our IT system interact with those assets? Do we think there is adequate protection in place if someone wanted to get them or damage them, and what would it take to feel comfortable that they were protected? Do we believe we can ever fully protect those assets? How should we monitor the status of their protection? 
9. Are we investing enough so our corporate operating and network systems are not easy targets by a determined hacker? 
10. Where can we generate more revenue and marginal profitability by making changes in IT?

Next, I attempt to answer these questions. It is important to come back to these questions in subsequent meetings if we believe that there are elements to be explored in greater depth. We can also monitor changes in the environment or new technologies.

In my personal view, board members must grasp the severity of cyber threats, understand the organization's risk posture, and support robust cyber risk management strategies.

a. Board members should remain abreast of emerging technologies and their implications for cyber security, ensuring alignment between technological innovations and risk management strategies.

b. Board members should actively promote and cultivate a culture of security throughout the organization, emphasizing the collective responsibility of all stakeholders in safeguarding sensitive information and assets.

c. Consideration should be given to procuring cyber insurance coverage as a means of mitigating financial risk associated with cyber incidents, complementing the organisation’s overall risk management strategy.

Speak to the board in the language that the business speaks in. Don't inundate them with IT or mind-numbing cybersecurity statistics. The best advice I ever received about dealing with the board was to meet with them individually. Get to know them and understand their level of knowledge. Give them a chance to ask the questions they've always wanted but were afraid to ask, then watch what happens at the next board meeting. They will ask the same questions that the two of you talked about… It makes you look like a genius and them as well. It's like any other executive interaction, relationships matter. 

Risk tolerance.  without an understanding of that everything will look like the sky is falling.