Mondaq flags cyber oversight as board duty

Cybersecurity is turning into a board job in a much more literal way. Not “the board should care about cyber” in the vague, annual-presentation sense. More like directors should be able to ask for proof that the company can keep operating through a serious attack — and show regulators that this oversight actually happened. That shift got spelled out this week in a legal memo circulated through Mondaq from A&O Shearman, while California’s privacy regulator is separately warning Congress not to wipe out stronger state privacy rules. (mondaq.com) ### What changed here? The fresh piece is the framing. A&O Shearman’s memo says boards should treat cyber operational resilience as an oversight discipline with documented controls, defined ownership, and evidence trails. The point is not just preventing hacks. It is proving the company can make decisions, communicate, recover systems, and manage outside vendors during an outage. (mondaq.com) ### What does “operational resilience” actually mean? Basically, it means the business still functions when the technology breaks. A ransomware hit, cloud outage, identity compromise, or critical vendor failure can all become business continuity events fast. The memo pushes boards to ask who makes decisions in that moment, how escalation works, which services matter most, and what dependencies could fail together. (mondaq.com) ### Why is the board suddenly on the hook? Because regulators increasingly care about evidence, not assurances. The memo says boards should expect questions about proactive measures, including tabletop exercises and oversight by a named board member or committee. That matters because once cyber is framed as resilience, it stops being a narrow IT issue and starts looking like governance, disclosure, and operational risk all at once. (mondaq.com) ### What kind of proof should directors ask for? Not glossy dashboards alone. Directors should want something they can test. Think incident playbooks tied to specific business services, recovery assumptions that have been exercised, communications plans for customers and regulators, and maps of critical third-party providers. If a dashboard says the company is “green,” the board should be able to ask what evidence makes that true. (mondaq.com) ### Why bring privacy into this? Because the same boardroom is now dealing with a second pressure point — data governance rules that may move in opposite directions at the state and federal levels. California’s Privacy Protection Agency has publicly opposed the Republican-led SECURE Data Act, saying(mondaq.com)oncrete consumer tool too: Californians could lose access to the DROP system for broker-wide deletion requests. (news.bloomberglaw.com) ### Why does that matter for cyber oversight? Because cyber and privacy are now joined at the hip in governance. A breach is not just a systems problem. It can trigger disclosure duties, consumer-rights issues, vendor questions, and regulator scrutiny across multiple regimes. If federal law fl(news.bloomberglaw.com)efensible map of what data they hold, where it flows, and which outside parties touch it. (news.bloomberglaw.com) ### So what should boards do now? Assign clear ownership. Ask for evidence from exercises, not just policies in binders. Tie cyber reporting to business services, not only technical controls. And make management show the dependency chain — especially cloud, identity, payments, and other critical vendors. The catch is that none of this is glamorous. But it is auditable, and that is exactly why the expectation is rising. (mondaq.com) ### Bottom line The real shift is simple: boards are being told to oversee cyber the way they oversee other control systems — with named owners, tested assumptions, and records that stand up after a bad day. Privacy fights like California’s just raise the stakes, because the companies that cannot explain their resilience usually cannot explain their data governance either. (mondaq.com)