If a great majority of today’s corporate assets are digital and nearly 100% are managed and protected by digital systems, let’s agree our corporate world is, well, digital. And if AI-driven bots are indiscriminately and exceedingly successful at compromising these digital systems, let’s agree that cybersecurity risk is therefore our most formidable and ubiquitous risk.

It makes sense. All our assets are vulnerable to the AI-supercharged efforts of threat actors using sophisticated tradecraft to wreak havoc on our digital assets and the systems that host them. Get to our systems and data and you can bring the organization to its knees.

That’s why the SEC considers the disclosure of material cybersecurity risks – and how management and the board evaluate risks and oversee the cybersecurity program – as critical to the investment decisions made by investors. That’s also why cyber incidents must now be disclosed within four days after they are determined to be material.

This two-sided view of cyber risk, requiring both proactive and reactive disclosures, elevates cybersecurity governance from the Office of the CISO right into the laps of management and the board. It forces companies to align the forward-looking material risks they disclose in annual reports, 10-Ks, and 10-Qs with how they disclose material incidents in 8-Ks, because SEC enforcement actions can bite from both sides.

If, say, a material supply chain cyber risk was not disclosed to investors, and that risk turned out to be the root cause of a material breach, the SEC will want to understand if a risk that was exploited by threat actors should have been disclosed.

SEC cybersecurity compliance now requires alignment of risk and incident disclosure, a documented process for establishing materiality, and effective disclosure controls.

All of this means that cybersecurity governance has ascended from a “technical” endeavor to a board governance imperative. Competently overseeing cybersecurity risk and management is now a fiduciary duty of care. It expands the number of those who will be named in post-breach lawsuits. And it probably will compel smart CISOs to demand to be named as insured on the company’s D&O insurance policy as a threshold personal risk management requirement.

If they are to effectively govern cyber risk, boards should seriously consider adding to their cyber knowledge quotient by filling the next opening with a cyber-conversant member, as well as engaging a third-party advisor that is independent from consultants used by the management team. Companies should model an independent relationship between the CISO and the board risk management committee after that same unfettered relationship between the CFO and the audit committee. And companies should better train board members in the basics of cybersecurity to evidence that they take seriously that cybersecurity risk is the most consequential to board members’ fundamental responsibility as stewards of company assets.

Learn more about what boards should be doing in the face of today’s cyber threats and mandates, and contact our team for more information on how to get started.