For Board & Investor

Technology gets discussed at every board meeting. It never gets governed.

Boards have rigorous governance over finance, audit, comp, and legal. Technology sits outside all of it. The SEC's 2023 rules (Item 106 of Regulation S-K and Item 1.05 of Form 8-K) put public companies on the hook for disclosing how the board oversees cybersecurity risk and for reporting material incidents within four business days. Personal exposure for directors sits one layer underneath: Delaware's Caremark doctrine, sharpened by recent Court of Chancery decisions treating cybersecurity as a mission-critical risk, holds directors to a fiduciary duty of oversight they cannot satisfy by delegation alone. A board that cannot show, in its minutes, what it asked, what it was told, and what it did about technology risk has a problem in two forums at once.

Get your board technology brief Talk to Preside →
SEC 2023cyber-disclosure rules
Personal liabilityfor invisible failures
Board-readyreporting on quarterly cadence

Where you sit today

Three truths from inside your role.

Three patterns recur across board members and investors who describe the situation above. Not all three may apply to you, but one or two usually will.

You rely on management's assurance

The board has no independent mechanism for knowing the state of technology risk before something happens. Management updates are not oversight.

Technology is on every agenda, governed nowhere

Audit committee governs audit. Finance committee governs finance. Technology gets a slide and a head-nod, then moves on.

The risk is personal, not just institutional

In a material incident, regulators and plaintiffs ask what the board received, reviewed, and reasonably acted on. "We trusted management" is no longer a defense.

What changes with Preside

Three structural shifts, not three projects.

01

A risk register in dollars

Annualized loss expectancy for every material technology risk. The same units finance uses. Defensible to regulators, auditors, and acquirers.

02

Quarterly board reporting that holds up

Same format every quarter. Risk in dollars. Spend trajectory. Control posture against your applicable framework. One page the board can actually engage with.

03

Independent oversight, not management self-report

The assessment is produced by a party independent of the team responsible for the conditions under review. Regulators, insurers, and acquirers all apply this standard.

A sample of the artifact

What the quarterly board page looks like

A single page produced on the same cadence as the financial report. Same format every quarter so the trend is visible. Same units finance uses so the conversation works.

Quarter ending Q3

Technology risk and oversight summary

Independent oversight

Annualized loss expectancy

$4.8M

Down $1.1M vs Q2

Top driver: ransomware exposure on legacy identity infrastructure. Remediation track on schedule.

Control posture vs framework

68%

Up 4 points vs Q2

Mapped to NIST CSF 2.0. 3 controls moved from "partial" to "implemented" this quarter.

Material vendor exposure

11 vendors

2 elevated

2 vendors flagged for renewal review on data-handling and concentration risk. Decisions due in Q4.

Active initiatives at risk

2 of 7

Down 1 vs Q2

Atlas project track-to-date ROI below original case. Decision required: continue, restructure, or stop.

For board minutes

The board reviewed the Q3 technology risk and oversight summary. Material exposures discussed and recorded. Two initiatives flagged for decision in Q4. Independent oversight confirmed alignment between management reporting and assessed posture.

Regulatory landscape

What your board is now answerable to

Cyber and technology oversight is no longer a single-framework conversation. The anchors below have changed boardroom expectations since 2023. Not all apply to every company. The set that does apply usually exceeds what the existing board calendar can absorb without help.

  • SEC Item 106 of Regulation S-K (Dec 2023)

    Public companies disclose, in the 10-K, board oversight processes for cybersecurity risk and report material incidents within four business days under Item 1.05 of Form 8-K.

    Relevant to: registrants and acquirers of registrants. Source: SEC press release 2023-139.

  • NYDFS 23 NYCRR Part 500 (Second Amendment, phased through Nov 2025)

    The board or senior governing body must have sufficient understanding of cybersecurity to exercise oversight, require management to maintain the program, and review the annual CISO program report.

    Relevant to: NY-regulated financial services. Source: NYDFS cybersecurity guidance.

  • FFIEC IT Examination Handbook (Architecture and Operations booklet, updated 2024)

    Board approves IT strategy aligned to risk appetite, receives regular Architecture, Infrastructure, and Operations governance reports, and is educated to review performance.

    Relevant to: OCC, Fed, and FDIC-supervised institutions. Source: FFIEC IT Handbook.

  • HHS OCR HIPAA Security Rule update (NPRM Dec 2024)

    Raises governance expectations: 12-month asset inventory and network map refresh, annual incident-response plan testing, annual verification of business-associate safeguards.

    Relevant to: HIPAA-covered entities. Source: HHS HIPAA Security Rule NPRM.

  • California CCPA cybersecurity audit and risk-assessment regulations (effective Jan 2026; first audit covers 2027)

    Larger businesses must complete an annual independent cybersecurity audit covering 18 prescribed control areas, plus documented risk assessments, attested at the executive level.

    Relevant to: larger California-touching businesses. Source: California Privacy Protection Agency.

  • NERC CIP standards (CIP-002 through CIP-015, including INSM)

    Board-overseen programs for asset identification, supply-chain risk, configuration change management, internal network security monitoring, and incident reporting to FERC and NERC Regional Entities.

    Relevant to: electric utilities and connected entities. Source: NERC reliability standards.

  • SEC Reg S-P amendments (adopted May 2024; large-adviser compliance Dec 2025; smaller advisers Jun 2026)

    Registered investment advisers and funds must maintain a written incident-response program, notify affected customers, oversee service providers, and keep expanded records.

    Relevant to: registered investment advisers and funds. Source: Proskauer alert.

  • Delaware Caremark fiduciary doctrine (Sorenson 2021, Bingle 2022, and after)

    Directors must show a board-level information-and-reporting system for mission-critical risks exists and is used in good faith. Recent Chancery decisions reaffirm that cybersecurity is mission-critical for most modern companies.

    Relevant to: every Delaware-incorporated company (the majority of US public companies and most PE portfolio companies). Source: Harvard Law CorpGov Forum.

  • D&O underwriter expectations (Chubb, Marsh, AIG, Tokio Marine HCC, WTW)

    Post-2023 D&O renewal applications ask about board cyber expertise, reporting cadence, MFA coverage, third-party threat intelligence, IR testing, and SEC Item 106 readiness.

    Relevant to: every board carrying D&O. Sources: Moody's D&O analysis, WTW 2025 D&O outlook.

  • NACD-ISA Director's Handbook on Cyber-Risk Oversight (5th edition)

    Not a regulation, but the most-cited director standard of care. Six principles plus fifteen tools, including cyber-risk quantification in dollars.

    Relevant to: every board. Source: NACD Director's Handbook.

Your recommended initiative

Three-week Board Technology Governance Initiative

3 weeks Fixed scope, fixed price

The deliverable

A board-ready governance framework, risk dashboard, and management accountability structure, designed to be presented at your next board meeting.

See the initiative methodology →

What we typically find

Boards that have governed every other function rigorously for years quietly accept a governance gap on technology because nobody gave them the framework to close it. That gap is now a fiduciary and personal liability issue in a way it was not five years ago. The fix is not better management reporting. It is independent oversight with the structure boards already apply elsewhere.

What directors ask first

The four questions that come up in committee.

How is this different from the CISO report management already gives us?

Management self-reports its own posture. Regulators, insurers, and acquirers all treat that as a starting point, not as oversight. This assessment is produced by a party independent of the team responsible for the conditions under review, in the format and units the board can act on.

Won't this duplicate or undermine management?

It sits above management's work, not parallel to it. The internal team continues to operate the function. We translate that operation into the oversight format the board needs. In practice, IT leaders find the structure helpful because it makes their work legible to the people funding it.

What if there is no incident? Was the artifact worth producing?

The same artifact answers the diligence question when an acquirer asks, supports cyber-insurance application accuracy, and provides documented oversight if a state regulator or the SEC ever asks what the board reviewed. The artifact pays for itself outside the incident scenario.

Who actually receives this: full board or audit committee?

Either or both. Most companies route technology governance through the audit committee with a quarterly summary to the full board. The format works for either cadence and is sized to fit inside a normal committee packet, not extend it.

Start with the governance framework. Decide from there.

Three weeks. A framework ready for your next audit-committee meeting. If it makes the board's oversight defensible to the SEC 2023 rules, D&O carriers, and Caremark scrutiny, the Operating Partner relationship is the durable form.

Get your board technology brief Talk to Preside