Recent regulatory developments make it clear that cybersecurity is a board-level issue, intimately tied to the stewardship and overall risk profile of an organization.

SEC Cybersecurity Disclosure Guidance

In 2011, the U.S. Securities and Exchange Commission issued guidance on cybersecurity incident disclosure. Earlier this year, on Feb. 26, the SEC updated its guidance to further emphasize the criticality of cybersecurity preparedness for public companies, advising corporate directors to consider “the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents.” The guidance also included reminders about applicable insider trading obligations related to disclosures of “material nonpublic information about cybersecurity risks or incidents.” While not explicitly calling for cybersecurity knowledge at the board level, the guidance does emphasize a growing list of cybersecurity topics directors must consider to effectively manage risk.

General Data Protection Regulation (GDPR)