Cybersecurity governance, risk, and reporting
Along with the ever-increasing frequency of breaches and compromised data, regulatory requirements and the demand for disclosure have also become part of the cybersecurity landscape
Privacy and cybersecurity regulation
Perhaps the most notable privacy and cybersecurity regulation is the EU GDPR (General Data Protection Regulation). In the UK, the UK GDPR governs privacy issues. The UK GDPR is a close adaptation of the EU version and the Data Use and Access Act 2025 (DUAA) which was updated in June 2025.29 In the United States, protecting data privacy and security is subject to various state and federal regulations which have evolved and address a range of issues such as the use and protection of personal information, the conduct of regular risk assessments, and the reporting of data breaches and security incidents, including rules adopted by the Securities and Exchange Commission (SEC) in July of 2023.
Regulatory fines
32% of breaches resulted in fines.
23% of fines > $250,000
Source: IBM Cost of a Data Breach Report 2025
These SEC laws require current disclosure of material cybersecurity incidents and periodic disclosure about a company's processes to assess, identify, and manage material cybersecurity risks; management's role in assessing and managing material cybersecurity risks; and the board of directors' oversight of cybersecurity risks. While the continuation of these rules may be subject to the actions of the current US administration, they currently impact companies that have shares traded on US public markets.30
The AICPA and CIMA, in collaboration with the Center for Audit Quality (CAQ) have jointly developed What Management Needs to Know About the New SEC Cybersecurity Disclosure Rules, which provides guidance for complying with these new rules.31
Cybersecurity national strategies
In March 2023, the US government released a new National Cybersecurity Strategy that emphasises working with international partners to counter threats, build resilience and defend critical infrastructure, and create schemes to promote investment in secure infrastructure.32 The strategy calls for ‘robust collaboration’ to rebalance the burden of responsibility away from individuals and small businesses and onto public and private organizations best placed to address this challenge.33 Version 2 of the National Cybersecurity Strategy Implementation Plan (NCSIP), containing 100 high-impact initiatives, was launched in March of 2024.34
In the United Kingdom, the UK GDPR does not mandate specific cybersecurity measures. Rather, it requires organizations to have a level of security that is ‘appropriate’ to the risks, which depend on organizational circumstances and the data being processed. However, the UK GDPR does make ‘data protection by design’ a legal requirement and places the burden of accountability on the organization to demonstrate that its data processing complies with the regulation.
Risk management, reporting, and oversight
In addition to regulatory compliance risk, the business risks associated with cybersecurity from business interruption have escalated the level of concern on the part of governing boards, their audit and risk committees, investors, and customers and suppliers in the enterprise value chain.
As summarized in appendix II, the AICPA has developed a cybersecurity risk management reporting framework as part of a collection of resources for both public accounting and management accounting. One resource available is the SOC for Cybersecurity Brochure, which provides an overview of system and organization controls (SOC) assurance engagements.
With respect to governance and board oversight, the Center for Audit Quality (CAQ), an autonomous public policy organization that is affiliated with the AICPA and CIMA, has developed Cybersecurity Risk Management Oversight: A Tool for Board Members.
This resource provides a range of guidance that board members can use to discharge their responsibilities with respect to cybersecurity risk. In addition to providing questions to ask that can develop understanding about the role of management and the financial statement auditor, it covers how CPAs can assist boards of directors in their oversight of cybersecurity risk management.
It also provides information and questions for board members to ask with respect to:
their companies’ specific risk profile, particular vulnerabilities, and management’s approach to managing these risks.
the prioritization of risk management practices, including supply chain or third-party risks, in addition to internal personnel policies, training, access controls, etc.
incident response protocols, including thorough analysis of events, reporting to relevant parties, and potential disclosure requirements.
Similar resources have been developed in the UK by the NCSC. The Cyber Security Toolkit for Boards is organized around the UK Cyber Governance Code of Practice, as follows:35
Principle A: Risk management
Identifying critical assets in your organization
Risk management for cyber security
Collaborating with your supply chain and partners
Principle B: Strategy
Embedding cyber security in your organization
Cyber security regulations and directors’ duties in the UK
Principle C: People
Developing a positive cyber security culture
Growing cyber security expertise
Principle D: Incident planning, response, and recovery
Planning your response to cyber incidents
Principle E: Assurance and oversight
Understanding the cyber security threat
Implementing effective cyber security measures
Effective cyber governance, like financial oversight, requires strong leadership and proactive engagement at Board level.