Overseeing Cyber Risk in a Fragmented Regulatory Environment

Organizations face a complex landscape of cybersecurity regulations. Here’s how boards can ensure compliance and enable strategic success.

Imagine that your organization launched a new product in Europe, but you suddenly face a multimillion-dollar fine for violating the European Union’s General Data Protection Regulation (GDPR) data-handling rules that you didn’t know applied to the product. Meanwhile, a US state passes a new privacy law, and your supply-chain partner in Asia demands compliance with local data sovereignty mandates. 

In today’s fractured regulatory landscape, this is a very real situation for companies. Effective cybersecurity solutions are not only about stopping breaches; they must also navigate a maze of global rules that can make or break a business. For boards, overseeing cyber risk is critical for safeguarding shareholder value, ensuring operational continuity, and enabling growth.

Why Cybersecurity Regulations Matter to Boards

Cybersecurity regulations are proliferating worldwide, driven by rising cyber threats, consumer demands, and geopolitical shifts. The GDPR and the European Union’s Artificial Intelligence Act set a high bar for data protection and technology governance. Frameworks in the United States, such as the US Securities and Exchange Commission’s (SEC) cybersecurity disclosure rules and state-level privacy laws (e.g., the California Consumer Privacy Act), add to the complexity. Globally, certain countries, including China and India, enforce data localization laws that require companies to store data within the countries’ borders—a logistical and security headache for multinational firms. 

These rules are not just compliance checkboxes. Noncompliance can trigger crippling fines. GDPR penalties alone reached nearly $2 billion in 2022, and that does not include the cost of reputational damage and operational disruptions.

For boards, the stakes are high as regulators are increasingly holding directors accountable for cybersecurity oversight, as shown by charges against SolarWinds Corp.  in 2023 and Yahoo! in 2018. In a regulatory landscape where rules vary by region and industry, how do boards stay ahead? 

The Board’s and Management’s Role

Effective cybersecurity governance starts with treating regulatory risk as a core business issue and not an information technology afterthought. Boards should ensure that their organizations can adapt to diverse compliance requirements while safeguarding critical assets and enabling growth.

They can do this by encouraging management to take the following steps:  

• Quantify risk in business terms. Translate compliance risks into financial terms as businesses would market or operational risks. Using models such as the Factor Analysis of Information Risk, or FAIR, methodology, chief information security officers (CISOs) can estimate the likelihood and impact of regulatory violations. For example, a CISO can uncover that a cyberattack on a critical network has a 5 percent chance of occurring this year and that it will cost $10 million in response, restoration, fines, and lost revenue. This clarity helps boards weigh investments in compliance against other priorities.
• Enable the achievement of strategic goals. Compliance is not a burden; it enables success. For instance, GDPR adherence can build customer trust and unlock European markets. In a similar vein, robust controls to comply with regulations in the United States, such as the Health Insurance Portability and Accountability Act, can streamline partnerships in certain industries, depending on the company’s strategy. Boards should ensure that cybersecurity and compliance strategies support expansion, innovation, and competitive positioning. 
• Build resilience. Regulatory scrutiny often follows a breach. By investing in incident response plans, threat intelligence, and automation, organizations can minimize violations and recover faster in the event of a breach, protecting brand and shareholder value.

Questions Boards Should Ask

To steer through this complexity, boards should ask management, particularly the CISO or the designated head of cybersecurity, and themselves the following questions:

• Are we aware of the cybersecurity regulations that impact our global operations, and do we understand their financial implications? 
• How does our compliance strategy support the company’s growth plans, such as entering new markets or launching digital services? 
• Can we quantify our regulatory risk exposure, and are our investments aligned with that risk appetite? 
• How resilient are we to a breach that triggers regulatory action? Can we respond and recover swiftly? 
• Do we have the right oversight structure, such as a dedicated cybersecurity committee, to stay ahead of evolving rules?

These questions ensure that cyber-risk discussions are grounded in business outcomes and not technical jargon.

Practical Steps for Boards

Navigating a fragmented regulatory environment internationally, or even across the United States, demands proactive governance. To prepare for any associated risks, boards can take the following actions:

• Demand regular briefings from the CISO. Ensure the CISO has direct access to the board to deliver updates in clear, business-focused language. Directors should ask for insights into regulatory trends and their impact on operations, from supply chains to customer trust. 
• Invest in education. Stay informed through tailored, internal or third-party cybersecurity training for directors. This will deepen directors’ understanding of key regulations, such as the GDPR or the SEC’s cybersecurity rules, and how they intersect with the company’s industry. 
• Leverage frameworks. Use standards, such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Center for Internet Security’s Critical Security Controls, to benchmark compliance and identify gaps. These tools provide a shared language for aligning cybersecurity and business strategies. 
• Conduct scenario planning. Run annual tabletop exercises to simulate regulatory fallout from a breach. For example, how would the company handle a GDPR fine or an SEC investigation? These drills build preparedness and confidence. 

Compliance as a Competitive Edge

In a fragmented regulatory environment, cyber risk is not just a challenge; it is also an opportunity. Boards that treat compliance as a strategic driver can build trust, open markets, and outpace competitors. This starts with asking the right questions, demanding accountability from leadership and security management, and aligning cybersecurity with the organization’s mission.

The views expressed in this article are the author's own and do not represent the perspective of NACD.

Optiv is a NACD sponsor, providing directors with critical and timely information, and perspectives. Optiv is a financial supporter of the NACD.