Cyber risk is business risk, and the SEC knows it 

Excerpt

A long overdue policy change to improve corporate governance on cybersecurity is taking effect.

At the end of July, the Securities and Exchange Commission adopted new rules requiring publicly traded companies and foreign private issuers to disclose material cybersecurity incidents; they are also required to annually update their cybersecurity risk management policies and governance. These companies are drivers of innovation and critical to the strength of the U.S. economy. It is in the public interest that they take corporate responsibility for their cybersecurity. 

This guidance comes none too soon, as American businesses are under an unprecedented level of cyber threat. Compromises of personal data are a daily occurrence. Ransomware attacks are up and increasingly costly to address. Cyber theft of proprietary information is persistent. Foreign nations are installing malware to facilitate future malicious activity. And because of our perpetually increasing network integration (which fuels economic growth), the consequences of successful cyberattacks are also growing exponentially. 

Chris Inglis is a CSC 2.0 Distinguished Advisor and was the inaugural National Cyber Director from 2021-2023 and the deputy director of the National Security Agency. Rep. Jim Langevin currently serves on the CCTI Board of Directors and he represented the 2nd District of Rhode Island from 2001-2023. Mark Montgomery is senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. All three served on the Cyberspace Solarium Commission and are strategic advisors at Paladin Capital Group.