In an era of escalating digital threats, the corporate board finds itself under increasing pressure to provide meaningful cybersecurity oversight.
Since 2023, the Securities and Exchange Commission (SEC) has mandated that public companies disclose their board-level cybersecurity oversight practices in annual filings, underscoring the fact that cyber-risk is now a fundamental aspect of corporate governance. To meet these obligations effectively, boards must establish clear governance structures, engage proactively with cybersecurity leaders and integrate cyber-resilience into broader business strategies.
SEC to boards: Cybersecurity oversight matters
The SEC’s Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure rules require public companies to detail the following cybersecurity oversight practices.
Board-level cybersecurity responsibilities
Companies must specify whether a committee, subcommittee or individual board member is responsible for cybersecurity oversight.
Many organizations delegate this duty to the audit committee, risk committee or a dedicated cybersecurity subcommittee. At Nemertes Research, we usually see clients assign oversight…
