Four business days. That’s the floor regulators have set: how long a public company has to disclose a material cyber incident under current SEC rules. The question is whether boards of directors are building above it or still scrambling to meet it. It’s not much time for a board of directors that hasn’t pre-defined what “material” means, assigned who owns the response or ever run a serious tabletop exercise.

The SEC didn’t invent board accountability for cybersecurity. It just made ignoring it more expensive. The EU’s DORA (Digital Operations Resilience Act) and CSRD (Corporate Sustainability Reporting Directive) have added equivalent obligations for firms operating across Europe, and regulators across much of the world are following a similar pattern. In all cases, ignorance will not be tolerated as a defense.

Yet many boards are still behaving as though cybersecurity is a technology problem that surfaces at the committee level when something goes wrong. That posture is no longer sustainable, and it isn’t just a legal exposure. It’s a strategic one.

Cybersecurity has claimed the top spot among digital investment priorities globally in 2026, edging out AI itself, according to senior executives surveyed in the AlixPartners’ Disruption Index.

Those two priorities are inextricably linked, of course. Every major AI initiative a company pursues, data-driven service it scales, and automation it deploys must be secured. A board that treats cyber as a cost center and AI as a growth lever is making a flawed decision, treating related risks as unrelated problems. The security of data, the integrity of models and the resilience of the platforms that run them are, in fact, the same problem.

The governance gap is real. Most boards have audit committees and compensation committees with clear mandates, defined membership and regular reporting cycles. Few have equivalent structures for cybersecurity. What often exists instead is episodic briefings from a CISO who is trying to compress a complex operational picture into slides that won’t cause eyes to glaze over, delivered to directors who have no real basis for pushing back. The result is cyberwashing.

Fixing this starts with structure. A dedicated board-level forum for cyber oversight, with a defined charter, at least three director members and an appropriate cadence aligned with audit cycles, creates the conditions for genuine accountability. Critically, at least one member should bring enough literacy in cyber to interpret what management is actually telling them. That doesn’t require a technical background; it requires familiarity with how to think about risk, materiality, and the business consequences of failure.

Structure alone isn’t enough. Boards also need information they can actually use. The instinct in many organizations is to give directors more data via dashboards, heat maps or maturity scores (for example). What directors really need is a small set of indicators tied directly to governance outcomes: What is the current level of risk, how well does the organization comply with its own policies and frameworks, what would the business impact be if key controls failed, and what is management doing about it. Boards want to understand whether the business is protected.

Risk must be expressed in terms boards already understand. If a ransomware attack takes down a critical production line, what is the revenue loss per day of downtime? If a supplier breach exposes customer data, what are the regulatory penalties and the reputational cost? These aren’t hypotheticals for security teams to model in isolation. They’re the scenarios that should anchor board conversations about risk appetite and investment adequacy. Some 72 percent of CEOs say they find it increasingly difficult to prioritize disruptive forces. Framing cyber risk in financial and operational terms is one of the more direct ways to cut through that noise.

Response readiness deserves particular attention. Boards tend to focus on prevention, which makes sense, but the regulatory clock starts ticking the moment an incident is determined to be material. Four business days is not much time for a company that hasn’t pre-defined its materiality thresholds, assigned cross-functional roles, or run a realistic tabletop exercise. The organizations that manage incidents well are the ones that have rehearsed them, at both an operational and executive level.

Expanding a business’s investment in its cybersecurity is not usually one that coincides with its growth strategy but AI is showing how closely linked these two are. Growth leaders deploy agentic AI at nearly four times the rate of laggards. That gap isn’t primarily a function of AI capability. It’s a function of confidence: confidence in data quality, in platform resilience, in the governance structures that let leadership move quickly without taking on risks they don’t understand. Cybersecurity maturity is what makes that confidence warranted because it enables you to take risks safely.

Boards that treat cybersecurity as a compliance exercise will always be reactive. Regulations lag the threats they’re trying to address, frequently conflict across jurisdictions and change faster than governance structures can absorb. Compliance is a  baseline, and meeting it doesn’t mean the organization is secure. Boards that treat it as a strategic capability will spend it moving faster than peers who haven’t made that connection yet.

The starting point is simpler than most directors assume: Define what good cybersecurity means, sharpen the governance structure, reset the reporting cadence and run a serious test of incident readiness. From there, cybersecurity stops being a liability to manage and starts being a platform for everything else the board wants to do.

About the authors

Beth Musumeci advises clients on risk management, compliance, technology and operating-model transformation. She is head of AlixPartners’ Cybersecurity and Data Privacy Practice and has more than 30 years of experience in security services. Beth has worked with clients across many industries to optimize their security operating models, cultivating deep expertise in security operations, brand protection and incident management and response. She was previously the Vice President of Cybersecurity for GE Healthcare, where she had responsibility for secure product development. Her other professional experience includes serving as GM for CSC’s Global Commercial Cybersecurity Organization. Prior to AlixPartners, she was the Global Partner for IBM’s Healthcare and Life Sciences Security Services practice.

Edd Hardy has worked in most roles in cyber, from pentesting and audit through to risk management and CISO roles. He is a highly experienced consultant who manages cyber risk to enable an organization’s growth and security. In his role he works closely with investors and the C-Suite to ensure security is adding value to the organization. His work involves helping large organizations transform their cyber programs from reactive functions that inhibit the business into proactive value creating teams. Not only aligning cyber with the organizations risk requirements but using it to deliver business objectives, create flexibility and enable the organization to safely embrace risk.