4 business days. This is the floor set by regulators and the amount of time public companies must disclose significant cyber incidents under current SEC rules. The question is whether boards are achieving this goal or are they still struggling to achieve it. Boards that haven't predefined what “material” means, haven't assigned who will handle the response, and haven't done a serious tabletop exercise don't have much time.
The SEC did not invent board responsibility for cybersecurity. Ignoring it will only lead to higher costs. The EU's DORA (Digital Operations Resilience Act) and CSRD (Corporate Sustainability Reporting Directive) add equivalent obligations for companies operating across Europe, and regulators around the world are following a similar pattern. Ignorance cannot be accepted as a defense under any circumstances.
However, many boards still act as if cybersecurity is a technology issue that surfaces at the committee level when something goes wrong. That attitude is no longer sustainable, and it's not just a legal crackdown. It's a strategic thing.
By 2026, cybersecurity will overtake AI itself as the top global digital investment priority, according to senior executives surveyed for AlixPartners' Disruption Index.
Of course, these two priorities go hand in hand. Every major AI initiative a company pursues, the data-driven services it extends, and the automation it deploys must be secured. Boards that treat cyber as a cost center and AI as a growth lever are making poor decisions by treating related risks as unrelated issues. Data security, model integrity, and the resiliency of the platform on which the model runs are really the same issue.
The governance gap is real. Most boards have audit and compensation committees with clear mandates, defined membership, and regular reporting cycles. Few companies have a comparable structure when it comes to cybersecurity. What often exists instead is episodic briefings from CISOs seeking to compress complex operational situations into non-dizzying slides that reach board members with no real basis for opposition. The result is cyberwashing.
To fix this, start with structure. A dedicated board-level forum for cyber oversight, with a defined charter, at least three board members, and an appropriate pace aligned with the audit cycle, creates the conditions for true accountability. Importantly, at least one member must have the cyber knowledge to interpret what management is actually communicating. It doesn't require any technical background. You need to know how to think about risk, materiality, and the business impact of failure.
Structure alone is not enough. Boards also need actionable information. Many organizations tend to provide directors with more data through dashboards, heat maps, maturity scores, etc. What directors really need is a small number of metrics that are directly tied to governance outcomes. That is, what is the current level of risk, how well does the organization adhere to its own policies and frameworks, what is the impact on the business if key controls fail, and what is management doing about it? Boards want to understand whether their business is protected.
Risks must be expressed in terms that the board already understands. If a ransomware attack takes down a critical production line, what is the revenue loss per day of downtime? What are the regulatory penalties and reputational costs if a supplier compromise exposes customer data? These are not hypotheticals that security teams can model independently. These scenarios anchor board conversations about risk appetite and investment suitability. Some 72% of CEOs say they are finding it increasingly difficult to prioritize disruptive forces. Framing cyber risk from a financial and operational perspective is one of the more direct ways to cut through that noise.
Particular attention should be paid to response preparation. Boards tend to focus on prevention, which makes sense, but the regulatory clock starts ticking from the moment an incident is determined to be significant. Four business days is not a lot of time for companies that don't pre-define criticality thresholds, assign cross-functional roles, or conduct realistic tabletop exercises. Organizations that manage incidents well are those that rehearse incidents at both the operational and management levels.
Increasing a company's investment in cybersecurity doesn't typically align with its growth strategy, but AI shows how the two are closely linked. Growth leaders are nearly four times more likely than laggards to deploy agent AI. This gap is not primarily due to AI capabilities. It's a function of confidence. That means trust in data quality, platform resiliency, and governance structures that allow leaders to act quickly without taking risks they don't understand. Cybersecurity maturity ensures that trust by allowing you to safely take risks.
Boards that treat cybersecurity as a compliance exercise are always reactive. Regulation lags behind the threats it seeks to address, frequently clashes across jurisdictions, and changes faster than governance structures can absorb. Compliance is a baseline; meeting it does not mean your organization is secure. Boards that treat it as a strategic capability will spend more time advancing it faster than their peers who haven't yet built that relationship.
The starting point is simpler than most directors assume. Define what good cybersecurity is, strengthen your governance structures, reset your reporting frequency, and perform a full-scale test of your incident response capabilities. From there, cybersecurity stops being a management mandate and begins to become a platform for whatever the board wants to do.
About the author
Beth Moussi We advise clients on risk management, compliance, technology and operating model transformation. She heads AlixPartners' cybersecurity and data privacy practice and has more than 30 years of experience in security services. Beth has worked with clients across many industries to optimize their security operating models and has developed deep expertise in security operations, brand protection, and incident management and response. She previously served as Vice President of Cybersecurity at GE Healthcare, where she was responsible for secure product development. Her other professional experience includes serving as GM of CSC's global commercial cybersecurity organization. Prior to joining AlixPartners, he was a global partner in IBM's Healthcare and Life Sciences Security Services practice.
ed hardy He has held most roles in the cyber space, from penetration testing and auditing to risk management and CISO roles. He is an experienced consultant managing cyber risk for organizational growth and security. In that role, he works closely with investors and executives to ensure security adds value to the organization. His work includes helping large enterprises transform their cyber programs from business-hindering, reactive functions to proactive value-creating teams. Not only do we align cyber with an organization's risk requirements, but we also leverage cyber to achieve business objectives, create flexibility, and enable organizations to safely embrace risk.
