Cyber accountability in the boardroom

Corporate boards got new marching orders on cyber risk this week, as directors face tougher disclosure rules, investor scrutiny, and rising liability questions. (nacdonline.org) The National Association of Corporate Directors and the Internet Security Alliance released the fifth edition of the *Director’s Handbook on Cyber-Risk Oversight* on April 16, 2026. The guide says boards should treat cyber risk as an enterprise issue, not just an information technology problem, and it lays out six oversight principles plus tools for incident response and management engagement. (nacdonline.org) That same day, CISA Acting Director Nick Andersen used the handbook’s foreword to tell directors that “technical debt” — old systems that are costly to replace and easy for attackers to exploit — has become a national liability. He wrote that cybersecurity should be a standing board agenda item every quarter and tied delayed modernization to financial exposure and supply-chain risk. (nacdonline.org) The pressure on boards is not coming only from security agencies. Since September 5, 2023, Securities and Exchange Commission rules have required public companies to describe in annual reports how their boards oversee cybersecurity risk and how management is informed about threats. (sec.gov) Those rules are specific. Item 106 of Regulation S-K says companies must identify any board committee responsible for cyber oversight, if one exists, and describe how the board or that committee is informed about cyber threats. (ecfr.gov) Board skepticism about cyber spending is also now documented. Gartner said in a November 24, 2025 survey of 330 non-executive directors that 90% lacked strong confidence in the value of cybersecurity investments, and only 10% said they had the right balance of protection and cost. (gartner.com) That helps explain why the handbook leans so hard on governance and business language. Gartner said boards often struggle to connect cyber spending to revenue, costs, and shareholder impact, while the new handbook says its six principles have previously been shown to improve security budgeting and security outcomes. (gartner.com, nacdonline.org) Liability is part of the backdrop. The Securities and Exchange Commission charged SolarWinds and its chief information security officer in October 2023 over alleged fraud and internal-control failures tied to known cyber risks, putting governance and disclosure practices under a brighter light even before some claims were later narrowed in court. (sec.gov, corpgov.law.harvard.edu) Insurance markets are reacting too. *Governance Intelligence* reported on March 30, 2026 that cyber incidents are increasingly spilling into directors and officers liability claims, as shareholder suits and regulatory scrutiny follow breaches and ransomware attacks. (governance-intelligence.com) CISA is also trying to pull industry closer before incidents happen. The agency launched its Industry Engagement Platform in December 2025 to give companies, nonprofits, academics, and researchers a formal way to present security technologies and meet CISA experts on issues including security controls, communications systems, and post-quantum cryptography. (industrialcyber.co) The boardroom question is no longer whether cyber belongs on the agenda. The question in April 2026 is whether directors can show, in filings, budgets, and breach response, that they actually oversaw it. (sec.gov, nacdonline.org)