Board Oversight of Cybersecurity and Operational Resilience in a Shifting Regulatory and AI Threat Landscape

A ransomware attack can freeze payments across an entire sector. A deepfake can authorize a fraudulent wire transfer in minutes. And a single vendor weakness can cascade through interconnected markets. In this environment, cybersecurity is no longer a technical matter to be “handled by IT”—it is a board-level governance and operational resilience imperative.

The Department of Defense (DoD) has introduced the Cybersecurity Risk Management Construct (CSRMC), a new framework that replaces the legacy Risk Management Framework. CSRMC emphasizes automation, continuous monitoring, and real-time visibility, marking a significant shift away from static, checklist-driven processes.

AI policy for the health and life sciences sector has continued to take shape. Building on recent activity, on July 23, 2025, the White House released its highly-anticipated AI Action Plan, setting forth the Trump Administration’s recommended policy actions to accelerate AI innovation and build American AI infrastructure. This Plan recommends policies that would promote AI adoption, the creation of “AI-ready” scientific datasets and the establishment of real-world AI evaluation systems by and for the health care and life sciences industries.

The U.S. Court of Appeals for the Sixth Circuit has upheld a 2024 Federal Communications Commission (FCC) Order that significantly broadens telecommunications carriers’ breach notification obligations. This decision, issued on August 14, 2025, in Ohio Telecom Association v. FCC, mandates that carriers disclose breaches of any customer personally identifiable information (PII), not just customer proprietary network information (CPNI), and applies to both inadvertent and intentional breaches.²