Privacy and cybersecurity concerns are expanding, and with them the proliferation of laws and regulations. Boards play a key role in ensuring that companies are positioned to comply with various jurisdictional requirements, that they understand and mitigate related risks, and that they are well-prepared to play a key role in response to security breaches and incidents. Indeed, enforcement actions issued by the U.S. Securities and Exchange Commission in 2021—including penalties levied due to a lack of senior leadership awareness of the identification and response to security vulnerabilities—sharpened this focus and shed light on regulatory expectations of corporate board oversight relating to privacy and cybersecurity.
Recognizing that companies are at different points in this journey, boards should heed guidance on how to prepare for the ever-evolving landscape of privacy and cyber laws. This article provides advice on oversight in this area and is directed at assuring boards that management is prepared to get ahead of potential breach issues and respond effectively when a breach or an incident arises.