In response to the increasing importance of cybersecurity in the digital age, new regulations from entities like the U.S. Securities and Exchange Commission (SEC), the European Union’s Digital Operational Resiliency Act (DORA), and the U.S. National Institute of Standards and Technology’s Cybersecurity Framework 2.0 are demanding greater involvement from company boards in managing cybersecurity risks. These regulations require detailed disclosures about cybersecurity strategies and governance in annual reports, emphasizing board-level oversight and risk management strategies.
- New rules necessitate enhanced cybersecurity risk management and reporting, especially from company boards.
- DORA and NIST 2.0 frameworks emphasize a comprehensive, organization-wide approach to cybersecurity governance.
- The SEC now requires public companies to disclose their cybersecurity risk strategies and board involvement in annual reports.
This shift in cybersecurity governance calls for a whole-of-business approach, extending beyond the Chief Information Security Officer (CISO) to include the entire C-suite and board of directors. Companies must prepare for structural and cultural changes to comply with these regulations, educating leaders about cyber strategy and incorporating cyber risk management into business strategies. Similarly, federal agencies are encouraged to adopt these frameworks, integrating cybersecurity decisions with mission requirements and ensuring senior officials understand and manage cyber risks, particularly in light of increasing cybersecurity threats globally, such as the significant hacking incident involving Chinese hackers and the U.S. State Department in September 2023.