Cybersecurity and operational resilience have become defining boardroom issues in recent years. Escalating cyberattacks on financial services, critical infrastructure and supply chains, combined with evolving regulatory expectations and activist scrutiny, demand that directors adopt a proactive, strategic approach to cyber risk oversight.¹ 

Escalating Threat Landscape

In recent years, there has been an increasing awareness of the risk posed by cyber incidents and a lack of cybersecurity preparedness. These increased risks have been sector agnostic; cybersecurity incidents impact every industry and both low- and high-profile companies. For example, in February 2024, Change Healthcare, a subsidiary of UnitedHealth Group and a critical payment processor for the U.S. healthcare system, was impacted by a ransomware attack that caused prolonged nationwide disruption.² The incident disrupted critical operations and payment flows throughout the healthcare sector, with reports indicating that the cyberattack was expected to result in cyber-related costs of more than $1.5 billion.³ The company expressly acknowledged that the operational disruption and financial losses were attributable to the cyber incident, highlighting the systemic risk posed by cyberattacks on essential service providers.⁴ 

Cyberattacks have further developed in speed, quantum and sophistication with threat actors, both outside and inside the organizations, targeting vulnerabilities at the enterprise level and across the supply chain.

Several factors have contributed to the evolving cyber-threat landscape:

• First, almost all economic activities now rely on electronic systems, any incidents disrupting those systems may bring significant implications for companies and, in the event of large-scale cyberattacks, damaging effects on the broader economy. Cyberattacks have more than doubled since the COVID-19 pandemic, with the financial sector constituting one of the industries which are uniquely exposed to an increased risk, in part due to the significant volume of data managed by financial entities.⁵ Over the past two decades, financial firms have experienced more than 20,000 cyberattacks, resulting in $12 billion in losses.⁶ The high level of interconnectedness across financial organizations and markets as well as the interdependence on information technology systems may often lead to localized cyber incidents spreading across financial systems and across geographic boundaries.
• Second, over the past few years the increased usage of third-party service providers and continued presence of remote work following the COVID-19 pandemic, together with the rapid establishment of “monetization” of cyberattacks through “ransomware-as-a-service” or “hacking-as-a-service” have created a perfect storm for businesses despite their investment in cyber defenses.⁷ 
• Third, the risk of significant losses resulting from cyber incidents has increased, with the size of such losses quadrupling since 2017 to $2.5 billion.⁸ Losses can extend beyond business disruption to litigation risks, reputational damage and remediation costs. For example, IBM reported that the global average cost of a data breach was $4.44 million in 2025, with the average cost in the United States (U.S.) being significantly higher at $10.22 million.⁹ 
• Fourth, developments in artificial intelligence (AI) have served to exacerbate cybersecurity risks. Whilst certain AI tools create opportunities to enhance cyber defenses, other AI tools have been used maliciously to create more sophisticated malware, automate phishing and social engineering attacks, making it easier for threat actors to execute their attacks. IBM reported that 16% of cyber breaches involved attackers using AI (typically used in phishing and deepfake attacks), with that figure likely to increase in the future.¹⁰ In addition, the use of AI tools adds to the privacy and data protection risks faced by enterprises; cybersecurity, privacy and AI governance risks are intertwined where a non-secure AI tool is used by a well-meaning but poorly trained employee in the event that confidential, personal or commercially sensitive information is accidentally inputted and then leaked into a publicly available online environment. This further emphasizes the need for organizations to treat AI and associated cybersecurity and privacy risks as an operational resilience issue, with clear and comprehensive governance structure, employee training and technical controls to prevent inadvertent disclosures and ensure compliance with data protection obligations.

In light of these increasing risks, the need for enhanced cybersecurity measures has never been greater, and boards must drive the investment.

Regulatory Pressures

Against the complex, layered and constantly evolving threat landscape facing organizations, regulators globally have developed more robust and prescriptive cybersecurity regulations and controls. Recent European and United Kingdom (U.K.) regulatory efforts to improve cybersecurity include the following:

• The NIS 2 Directive¹¹ revamps the earlier NIS Directive in relation to information security and imposes requirements on a wider group of essential and important entities in critical sectors such as energy, transport, banking, health, digital infrastructure, Information and Communication Technology (ICT) and manufacturing across the European Union (EU). Executive and supervisory boards, as well as senior management, are directly in focus, as EU member states are required to ensure that the “management bodies” of essential and important entities approve their own cybersecurity risk-management measures, oversee their implementation and can be held liable for infringements of those measures. The members of the “management bodies” of essential and important entities are further required to follow training in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity. The U.K. is adopting a similar approach, with the draft Cyber Security and Resilience (Network and Information Systems) Bill currently going through the legislative process.
• The Digital Operational Resilience Act (DORA),¹² which entered into application on January 17, 2025, provides a comprehensive risk management framework that ensures banks, insurance companies, investment firms and other financial entities can withstand, respond and recover from ICT disruptions, including cyberattacks. Whereas financial institutions previously may have focused on ensuring they had sufficient capital to account for operational risks, DORA establishes comprehensive technical requirements to improve cyber resilience. DORA recognizes that “management bodies” should be required to maintain a pivotal and active role in steering and adapting the ICT risk management framework and the overall digital operational resilience strategy of the relevant entity. Similarly to NIS 2, DORA requires that members of the “management body” of the financial entity bear ultimate responsibility for managing the entity’s ICT risk and keep up to date with sufficient knowledge and skills to understand and assess the ICT risks.
• The Cyber Resilience Act,¹³  which entered into force on December 10, 2024,¹⁴  introduces mandatory cybersecurity requirements for a wide range of stakeholders, including manufacturers of products with digital elements (a broad category encompassing virtually any software or hardware that connects to a network) in an effort to ensure all digital products are safe from cyber threats. This landmark regulation requires timely board attention, as security-by-design, product vulnerability remediation programs, and supply chain (components) diligence will need to be developed now to avoid delays in digital products distribution on the EU market.

In the U.S., effective September 5, 2023, the U.S. Securities and Exchange Commission (the SEC) finalized new rules pertaining to “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” (the SEC Rules).¹⁵ Notably, the SEC Rules introduce new guidelines to standardize disclosures regarding cybersecurity risk management for public companies subject to the U.S. Securities Exchange Act of 1934. The SEC Rules were issued due to the variety of disclosure approaches adopted by public companies and the increasing shareholder demand for timely, reliable information relating to cybersecurity measures. Under the SEC Rules, public companies are required to, among other things, disclose material cybersecurity incidents within four business days of determining materiality and describe their processes for assessing, identifying and managing material risks from cybersecurity threats.

In addition, the SEC has pursued multiple high-profile enforcement actions, including several against companies for producing misleading cyber disclosures. In October 2024, four companies were charged with making materially misleading disclosures regarding cybersecurity risks and intrusions, which charges resulted in significant civil penalties.¹⁶ The charges against the four companies arose following an investigation involving public companies potentially impacted by the compromise of SolarWinds’ Orion software and related activity. The SEC’s enforcement action reflects the importance of minimizing the consequences of cyber-attacks on shareholders and the public through transparent and accurate disclosures. Notably, in the SEC’s enforcement action against SolarWinds Corporation in October 2023, both the company and its chief information security officer (CISO) were initially charged (with the charges later dismissed in November 2025¹⁷) for internal control failures pertaining to cybersecurity risks and vulnerabilities,¹⁸ and, although subsequently dismissed, two shareholder derivative actions were also filed against SolarWind’s directors.

Beyond the SEC, U.S. state-level regulations have accelerated, with new laws mandating incident reporting, prohibiting ransomware payments and requiring comprehensive information security programs for financial entities. The NIST Cybersecurity Framework (CSF) 2.0, released in 2024, now serves as one of the leading global benchmarks, emphasizing governance, supply chain risk management, and board accountability.¹⁹ To illustrate, in 2025, the U.S. Department of Justice entered into a settlement with a leading U.S.-based biotechnology company specializing in DNA sequencing and genomics technologies to resolve allegations that it violated the U.S. False Claims Act when it sold certain genomic sequencing systems with cybersecurity vulnerabilities, including by making false representations that its software adhered to cybersecurity standards such as those issued by the NIST.

Activists Leveraging Governance Lapses

A recent survey of industry professionals from the Chartered Institute of Information Security, a U.K.-headquartered not-for-profit with global membership from industry, academia and government, found that 91% of respondents believed the ultimate responsibility for cybersecurity rested with the board.¹⁹ In line with this sentiment, activist investors are increasingly citing cyber incidents and disclosure gaps as evidence of weak board oversight. Such lapses have fueled withhold campaigns and demands for board refreshment.²¹ 

In short, while cyber risk may previously have been delegated to information technology teams or CISOs, it is increasingly being recognized as a strategic, enterprise-level risk requiring input and oversight from the board.

Board Imperatives

To protect the enterprise and implement risk management measures, boards must ensure incident response plans are in place, with clear delineation of roles between the board and senior management for cybersecurity oversight. For instance, boards should assess whether cyber oversight resides with the board, audit committee, and/or a dedicated technology or cyber committee. Key stakeholders within the organization, such as the CISO, the Chief Information Officer (CIO) and Chief Executive Officer (CEO), should also be sufficiently skilled and empowered with defined roles in the incident response plan. For example, the Australian Signals Directorate’s Australian Cyber Security Centre notes in its guidelines for cybersecurity roles that the role of the CISO requires a “combination of technical and soft skills, such as business acumen, leadership, communications and relationship building.”²² In addition, one of the simplest ways to improve cybersecurity is to promote CISOs to report into CEOs, including because the CISO would gain more control over the cybersecurity program with increased management responsibility and would experience less resistance when asking for the relevant security budgets. There remains, however, much discussion as to the appropriate reporting lines for a CISO.

Once responsibilities have been clearly delineated, regular tabletop exercises (appropriately structured and scoped and often conducted under legal privilege) together with third-party assessments are critical to identifying and addressing gaps. Cyber resilience should be regularly monitored, ensuring that incident response and disaster recovery plans are tested and improved as necessary. In this way, cybersecurity should be embedded into every strategic decision and within the culture of an organization.

Supply chain risk must be integrated into governance frameworks, with alignment to NIST CSF 2.0 or equivalent standards. For instance, in 2025, the SEC settled charges with an Oregon-based broker-dealer and investment adviser for failures to maintain “reasonably designed policies and procedures concerning cybersecurity” following an unauthorized email account takeover that exposed the information of over 8,000 individuals.²³ 

Looking Ahead

The board has responsibilities for cybersecurity and operational resilience – either as directly imposed by emerging laws such as NIS 2 and DORA, or as a result of the practical realities of the potential impact of ever-evolving cyber threats. The dynamic threat landscape, heightened regulatory scrutiny, and activist pressure require boards to move beyond compliance and adopt a strategic, enterprise-wide approach to cyber risk oversight. Looking ahead to 2026, boards must prepare for a cyber threat landscape increasingly shaped by AI-driven attacks, deepfakes, and quantum computing risks, requiring a proactive and adaptive security posture. Regulatory efforts will continue to try to catch up with the speed with which the threat actors evolve, with new rules mandating rapid and more comprehensive incident reporting affecting multiple industries (see, for example, the proposal for a streamlined reporting in the EU Digital Omnibus in relation to NIS 2, CRA, DORA and General Data Protection Regulation (GDPR)), enhanced third-party risk management, and quantum-ready encryption strategies. Boards should ensure their organizations are not only compliant but also resilient, leveraging AI for both defense and detection, and aligning cybersecurity investments with measurable business outcomes.

Action Checklist for Directors

To stay ahead of emerging threats and regulatory requirements, boards or any board-designated committees should take the following actions (if a committee has been assigned certain responsibilities, these should be documented in charters or board resolutions):

• Assess Board Cyber Expertise: Board members need not be cybersecurity experts to fulfill their oversight and monitoring responsibilities but should have the necessary skills to understand and oversee cybersecurity risks. Consider engaging cybersecurity experts as board members or advisors and ensure that adequate and reasonable reporting systems exist between the board and any relevant committees, and between the board and management. Be mindful that if advisors are not acting exclusively for your organization only, they should be provided with a business email account part of your domain and communications should ideally flow through that: to minimize the risk of loss of confidentiality or cyber measures not at par with the security in your organization. 
• Oversee Cybersecurity Controls and Systems: Expertise dependent decisions, including the review and/or approval of technical standards or procedures or the review and/or selection of specific cybersecurity programs or products, are typically the responsibility of specialist corporate officers such as CISOs, CIOs or other subject matter experts. Boards should actively discuss cybersecurity risk with management, learn where cybersecurity weaknesses lie, ensure that cybersecurity systems/controls have been implemented and keep informed about the effectiveness of these systems/controls and the need for updates or changes. In addition, the board should approve the allocation of funds to information security and data privacy programs.
• Review and Test Incident Response Plans: Ensure that cybersecurity incident response and disaster recovery plans are regularly tested and that responsible stakeholders are adequately trained on incident response through tabletop exercises and simulations; do not forget to ask to be included in the exercises.
• Establish a robust CISO Relationship: Understand the mandate and authority of the CISO within the company’s overall governance structure. Clarify the CISO’s decision-making power, including in the company’s budget allocation process and investment decision making and interact regularly with the CISO and CIO (and any other relevant stakeholders, like the Data Protection Officer where applicable) for insight into the complex cybersecurity issues that a board may otherwise not have the technical expertise to understand. In addition, understand the CISO’s role in the design, partnership and other agreements with outside vendors.
• Scrutinize Third-Party Risk: Ensure that the company implements a third-party vendor risk management program that aligns with the enterprise’s cybersecurity framework and demonstrates that third-party vendors and suppliers have strong cybersecurity measures in place. Regularly assess the supply chain’s security posture.
• Monitor Regulatory Developments: In consultation with the General Counsel, stay informed about evolving cybersecurity regulations, including updates from the EU and the U.K., other leading jurisdictions, as well as the SEC and other regulatory bodies.
• Due Diligence: Ensure that the company engages in adequate cybersecurity-related due diligence in the context of investments, mergers and acquisitions, joint ventures and any business partnerships—in particular where data (whether personal or otherwise) is involved.
• Ensure Accurate Disclosures: Review and update company disclosures to ensure compliance with any applicable reporting requirements, including under U.S., EU and U.K. regulations.
• Engage with Activist Concerns: Proactively address shareholder concerns around cyber risk and governance and consider taking pragmatic steps to handle any potential activist campaigns.
• Take Steps to Minimize AI Risks in order to Maximize AI Benefits: Train the board to understand the implications, both positive and negative, of the use of AI in the enterprise from a cybersecurity, privacy and AI governance perspective, in order to maximize the benefits for the enterprise of AI use.

^{1 IMF Global Financial Stability Report, April 2024: https://www.imf.org/en/blogs/articles/2024/04/09/rising-cyber-threats-pose-serious-concerns-for-financial-stability}

^{2 https://www.aha.org/change-healthcare-cyberattack-underscores-urgent-need-strengthen-cyber-preparedness-individual-health-care-organizations-and}

^{3 https://www.reuters.com/business/healthcare-pharmaceuticals/unitedhealth-warns-115-135share-hit-this-year-hack-2024-04-16/}

^{4 https://www.sec.gov/Archives/edgar/data/731766/000073176624000146/a2024q1exhibit991.htm; https://www.fiercehealthcare.com/payers/unitedhealth-group-posts-14b-loss-q1-amid-change-cyberattack-fallout}

^{5 IMF Global Financial Stability Report, April 2024: https://www.imf.org/en/blogs/articles/2024/04/09/rising-cyber-threats-pose-serious-concerns-for-financial-stability}

^{6 IMF Global Financial Stability Report, April 2024: https://www.imf.org/en/blogs/articles/2024/04/09/rising-cyber-threats-pose-serious-concerns-for-financial-stability}

^{7 SEC Final Rule: https://www.sec.gov/files/rules/final/2023/33-11216.pdf}

^{8 IMF Global Financial Stability Report, April 2024: https://www.imf.org/en/blogs/articles/2024/04/09/rising-cyber-threats-pose-serious-concerns-for-financial-stability}

^{9 2025 IBM Report: https://www.ibm.com/reports/data-breach}

^{10 2025 IBM Report: https://www.ibm.com/reports/data-breach}

^{11 NIS 2.0 Directive: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555}

^{12 Digital Operational Resilience Act: https://eur-lex.europa.eu/eli/reg/2022/2554/oj}

^{13 Cyber Resilience Act: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act}

^{14 Although the main obligations introduced by the Cyber Resilience Act will apply from December 11, 2027 and the reporting obligations shall apply as of September 11, 2026.}

^{15 SEC Final Rule: https://www.sec.gov/files/rules/final/2023/33-11216.pdf}

^{16 SEC Press Release: https://www.sec.gov/newsroom/press-releases/2024-174}

^{17 SEC Press Release:  https://www.sec.gov/enforcement-litigation/litigation-releases/lr-26423 (Civil Enforcement action against SolarWinds and Timothy G. Brown dismissed)}

^{18 SEC Press Release: https://www.sec.gov/newsroom/press-releases/2023-227}

^{19 NIST CSF 2.0: https://www.nist.gov/cyberframework}

^{20 https://www.tripwire.com/state-of-security/breaches-boards-cant-hide-behind-cisos}

^{21 Wachtell Lipton Activism Outlook: https://corpgov.law.harvard.edu/2025/03/14/shareholder-activism-2024-review-and-2025-outlook/}

^{22 Australian Government, Australian Signals Directive: https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-cyber-security-roles?utm_source=chatgpt.com}

^{23 SEC Administrative Proceeding: https://www.sec.gov/enforcement-litigation/administrative-proceedings/34-104255-s}