“Across America companies are desperately seeking direction as they grapple to identify and follow best practices for cyberrisk management. … Yes, new rules and regulations can help push companies toward cyberresiliency. Yes, improved technological defenses will help mitigate the cyberthreat. But these are tactical responses to a strategic problem. We need to think bigger. Cybercrime is an enterprise-level risk that will require an interdisciplinary approach, significant investments of time and talent by senior leadership and board-level attention. In short: the cyberthreat is a corporate governance issue.”  —Commissioner Robert J. Jackson Jr., “Corporate Governance: On the Front Lines of America’s Cyber War,” March 15, 2018, speech at Tulane University Law School, 30th Annual Corporate Law Institute

Over the years, companies’ approach to cybersecurity has shifted from considering it as a purely technological issue or an issue that can be handled through a combination of technological and regulatory measures, to the current trend of a comprehensive approach to cybersecurity as a governance issue. This trend is clear in the new Interpretive Guidance on Public Company Cybersecurity Disclosures issued by the Securities and Exchange Commission (SEC) on Feb. 21.