Across global markets, several developments drive heightened attention to how boards address their complex and increasingly important cybersecurity oversight responsibilities. These developments include the constantly changing nature of cybersecurity risk, as well as the high and ever-growing financial, operational, and reputational costs when breaches occur.

At the same time, companies face rising demands and expectations from a wide range of stakeholders—from policymakers and investors to employees and customers—to strengthen operational resilience and improve consumer data security.

Board governance effectiveness is also in the spotlight when it comes to overseeing risks and whether board composition, board structure, director skillsets, and board processes are sufficiently attuned to navigate the challenging cybersecurity landscape.

The SEC issued guidance in 2018 that highlighted the gravity of cybersecurity threats to “investors, our capital markets, and our country,” reemphasizing companies’ disclosure obligations for cybersecurity risks and the potential impacts on business.1 In doing so, the SEC observed that “disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”