Evolving Cybersecurity Governance Expectations for Boards Across the United States, United Kingdom, and European Union

Boards across the United States, United Kingdom, and European Union are under growing pressure to demonstrate effective oversight of cybersecurity risks as incidents become more frequent and impactful. Regulatory developments and heightened expectations around risk governance have transformed cybersecurity oversight into a core boardroom issue. By synthesising materials from government agencies, industry bodies, and legal experts, this resource aims to support directors in fulfilling their fiduciary duties and enhancing organisational resilience in the face of cyber threats.

Key Takeaways:

  • The French national cybersecurity regulator (ANSSI) hosted a tabletop exercise involving over 5,000 professionals from 1,000 public and private organisations, underscoring the critical need for companies and leadership teams to embed robust crisis-management strategies to prepare for and respond to cybersecurity incidents.
  • Several board-level professional associations have published guidance for directors on implementing and overseeing their organisations' cybersecurity programs, reflecting a growing recognition that cybersecurity is not merely a technical issue but a core component of corporate governance and organisational resilience.
  • Organisations are encouraged and often required to maintain safeguards that protect internal, proprietary, and customer data, including technical defences against cyberattacks and employee education on cybersecurity best practices.
  • Government entities in the U.S., UK, and EU have published control frameworks that organisations can use to minimise vulnerabilities, safeguard confidential information, and protect customers, corporate integrity, and business.
  • Cybersecurity reporting obligations are a regulatory priority across the U.S., UK, and EU, with increasing expectations for transparency, resilience, and board-level accountability, including rapid notification of significant cyber events to national authorities and sector regulators.
  • Boards should remain informed about evolving disclosure and reporting requirements and proactively ensure that their organisations are prepared to respond to developing reporting and disclosure obligations.
  • Board liability varies across the U.S., UK, and EU. In the UK, directors owe general duties to an organisation under the Companies Act, while in the U.S., directors are bound by their fiduciary duties to act in the best interests of an organisation.

Statistics:

  • Over 5,000 professionals from 1,000 public and private organisations participated in the ANSSI tabletop exercise.
  • The event was the first of its kind and served as a critical reminder of the need for robust crisis-management strategies to prepare for and respond to cybersecurity incidents.

Sources:

  • ANSSI [French national cybersecurity regulator]
  • Various government agencies, industry bodies, and legal experts

Note: The content of this article is intended to provide a general guide to the subject matter and should not be taken as specialist advice. Specialist advice should be sought about specific circumstances.