What Boards Need To Know On Digital And Cybersecurity Governance In 2025

The year 2024 was a relatively big year in digital, cybersecurity and systemic risk governance, if you knew where to look. While the growing pains of implementing new SEC cybersecurity disclosure rules and U.S. Senator Ron Wyden calling out the UnitedHealth Group (NYSE:UNH) CEO and board for their colossal cybersecurity failure made headlines, there was not a singular event that can be viewed as a boardroom tipping point on these issues. Instead, a collection of complementary events and trends conspired to create a discernible path towards sustainable and systemic change in digital and cybersecurity oversight.

While there are organizations working against common sense board reform on digital and cybersecurity governance, the hackers and boardroom leaders are winning and the status quo is losing — expensively. Hackers win because they benefit from the ongoing weakness of the board as a control in the digital business system, but ironically, they are also the most effective regulator of cybersecurity governance reform — often forcing boards to change their cybersecurity governance policies and practices after a cybersecurity incident.

Boardroom leaders are winning by paving a new governance path forward that recognizes that the boardroom status quo is not sufficient to address the unique opportunities and risks of the digital future. Their victories create leading practices that allow them to do their jobs more effectively with proven benefits to their shareholders and other stakeholders.

But while boardroom battles have been won, the war rages on. Here’s what the digital, cybersecurity and systemic governance path has in store for the boardroom in 2025.

1. The penalties for being a boardroom laggard in digital, cybersecurity and systemic risk oversight are expanding and increasing.

When risk advances faster than the effectiveness of risk management, the impacts of realized risk expand considerably, and often exponentially. Some of that was apparent in 2024 as cybersecurity incidents at UnitedHealth Group and Crowdstrike had unexpected and unprecedented impacts. UnitedHealth Group has disclosed their cybersecurity incident cost the company almost US$ 2.5 billion in 2024 — a financial bill that the UNH investors foot through wasted capital. Crowdstrike’s stock price was down 40% after their incident. Whether financial costs, share price impacts, brand, customer trust or loyalty, third-party liability, or legal costs, the costs and expenses of these incidents will only increase for the boardroom laggards.

The laggards are ensuring that the war will rage on. Expect more bad news, with far ranging impacts as technologies like AI change the opportunity and risk landscapes for every company.

Forbes contributor and Professor Christian Stadler reported in November that his survey of C-suite executives and middle managers identified that technology shifts including AI/digital disruption are the top external factors that will impact business over the next twelve months.

Deloitte reported that AI is already being discussed in over half of boardrooms. With 46% reporting more time should be devoted to it, with 79% of boards reporting they have no or limited experience with AI.

Trying to govern something that is not understood is not a recipe for success, as many boards have discovered with cybersecurity. Corporate governance needs to be a functioning control within the digital business system, with the right director skills, board structure and scope of risk oversight in place. While shiny new technology objects like AI get the boards attention, corporate governance needs substantive governance process and policy reforms in order for the boardroom to be a useful and effective oversight body — and evidence shows that when boards are high-performing on these issues, significant business value is created.

Mike Kelley, Chief Information Security Officer and Head of Infrastructure Operations at the E.W. Scripps Company put it this way, “With human resources stretched thin, the real challenge will be prioritizing innovation from AI’s allure and transformative potential without sacrificing operational resilience. Boards that fail to appreciate this tension risk setting their organizations up for brittle transformation instead of sustainable growth.”

The global 2025 Risk In Focus survey of the Internal Audit Foundation identified cybersecurity and digital disruption including AI as the #1 and #2 rated risks in the next three years, showing these issues as persistent challenges for the boardroom.

Cyber risk is the top factor driving enterprise risk according to FTSE 350 corporate secretaries in the UK from their Summer 2024 Chartered Governance Institute survey. This guarantees that cybersecurity remains a boardroom issue not just in the U.S. but in Europe. In this global risk environment, CEO’s will wake up and realize that they are going it alone when they do not have director digital and cybersecurity expertise on the board.

Patrick Joyce, Global Resident Chief Information Security Officer (CISO) at Proofpoint had this to say, “Hopefully 2025 will be the year that organizations begin to realize and understand the interconnected nature of risk, and how systemic and embedded that risk can become within supply chains, partnerships, and large scale data sharing in the year of the LLM.”

Cathy Skala, CEO and Founder, CureX, LLC added, “In 2025, the biggest risk to governance will be underestimating the speed of AI-driven cyber threats. Boards must ensure management prioritizes dynamic, real-time risk assessments over static frameworks to stay ahead of evolving systemic vulnerabilities.”

The boardroom laggards will continue to set their companies up for failure in 2025, and the failures will grow. However it’s really the CEO’s, investors, customers and business partners who are being set up — a set up that can be avoided.

2. Those who do not believe that boards need director’s with digital and cybersecurity expertise will find their views untenable. In 2025 director digital and cybersecurity expertise “crosses the chasm” from the early boardroom adopters and goes mainstream as a common sense policy and irreplaceable control that offers almost immediate benefits, at little cost.

In 2023 the U.S. SEC failed to address the control weakness of director cybersecurity expertise by leaving director cybersecurity expertise disclosure out of their final cybersecurity rules. Something that a surprising group of organizations advocated against. But nonetheless, this particular issue has still advanced by boardroom and industry leaders who know that this common sense boardroom control strengthens the entire cybersecurity system.

Research is emerging that documents the realized benefits when there is director cybersecurity expertise on the board. Virginia Tech has documented these benefits which complements the long-standing research from MIT that shows the substantial value creating benefits when there is broader director digital expertise on the board, such as AI expertise.

Progress on director digital and cybersecurity expertise is advancing. According to The Conference Board and ESGAUGE research published in December of 2024, around 25% of S&P 500 directors have cybersecurity experience in 2024, up from about 12% in 2020 showing large cap companies leading the way in reducing digital risk. While experience does not necessarily equate to expertise, this increase in disclosure indicates that companies feel this is useful information for investors to have.

According to research from EY on cybersecurity disclosures, cybersecurity was disclosed as an area of expertise sought by 72% of boards in 2024, up from 19% in 2018 demonstrating that boards now recognize the need for resident director cybersecurity expertise on the board, disappointing both the hackers and those organizations who advocate against this.

Also, according to EY, cybersecurity was disclosed in at least one director biography by 71% of boards in 2024, up from 34% in 2018 reflecting the growing importance of communicating this critical director competency to investors.

And where the SEC failed, the European Central Bank (ECB) became the first regulatory body worldwide to force boardrooms to strengthen their ability to govern cybersecurity as they now require director cybersecurity expertise on the bank boards they supervise. They also require director information, communications and technology (ICT) expertise on these bank boards, addressing the digital upside alongside the downside. The ECB recognized a systemic need for a collective leadership approach that strengthens the entire European financial system, not just one bank within it.

The Conference Board and ESGAUGE research also found that around 37% of S&P 500 directors have technology experience in 2024, up from about 19% in 2020.

As the realized benefits of director digital and cybersecurity benefits spreads with even more evidence, the fear, uncertainty, and doubt that plagues these issues from the boardroom status-quo proponents will dissipate — and they will shrink into the shadows.

3. Tired of footing the bill for chronic cybersecurity failures, and newly aware of the value creating opportunities of AI, institutional investors get into the game as a strong force of digital and cybersecurity governance reform. They join other regulatory, policy and governance reformists and influencers to tip the boardroom scale to normalize digital, cybersecurity and systemic risk oversight as a structured part of corporate governance.

Shareholder proposal advocate Tulipshare has pushed boardroom committee reform surrounding AI onto the 2025 proxy voting agenda for Berkshire Hathaway. Recommending that Berkshire “charter a new committee of independent directors on artificial intelligence to address risks associated with the development and deployment of AI systems across its own operations as well as its portfolio companies.” This activist step signals the growing awareness investors have about the positive impacts that effective digital governance has on not only risk, but value creation. Board committees are a very powerful tool that help boards bring knowledge specialization, focus, accountability, and task efficiency to issues. They are also a key part of an effective governance system that leading boards put in place for digital and cybersecurity oversight.

The world’s institutional investors are also shifting their focus in investment stewardship to several areas that will indirectly support boardroom effectiveness in digital, cybersecurity and systemic risk oversight. Sharpening their focus on the drivers of board effectiveness which will out of necessity include digital, cybersecurity and systemic risk oversight, ICGN CEO Jen Sisson declared that ICGN’s focus going forward “is on strong and effective boards achieved by skills and board composition and risk management alongside a culture and governance of emerging risks and transparent and useful reporting in investment stewardship.”

A significant NIST CSF 2.0 framework update specific to cybersecurity governance has served to normalize cybersecurity as a required boardroom function.

NIST CSF 2.0 was published and now includes GOVERN as a key domain which acknowledges from this leading standards body the importance of the boardroom role in protecting business value dependent upon the digital business system. The 31 key GOVERN principles or processes included in NIST CSF 2.0 are a critical step towards normalizing how boards do this.

Ezra Ortiz, Cybersecurity Oversight and Strategy Advocate had this to say, “If boards continue following the same reactive path, there’s little hope for meaningful change. Governance systems must evolve from passive risk management to active drivers of business resilience and digital growth — directors must guide digital and cyber strategy, not just oversee incidents.”

The U.S. SEC’s cybersecurity disclosure rules also served to normalize cybersecurity risk and governance with investors, the C-suite and boardroom even with their implementation pains.

With the new rules, there has been a 60% increase in the number of cyber incidents disclosed by public companies based upon research from law firm Paul Hastings in work they published in December 2024. Increasing transparency for investors was one of the goals of the SEC’s cybersecurity disclosure rules.

However, most of these filings are non-compliant with the new rules. Hastings reports that fewer than 10% of the disclosed incidents include a description of the material impacts of the incident. This illustrates either deliberate non-compliance or a lack of useful internal processes that determine the material impacts of cybersecurity incidents — the very processes the SEC wants companies to get better at to improve investor transparency.

Paul Hastings reported that one in four disclosures stemmed from a third-party incident, showing the importance of understanding and mitigating systemic risk throughout complex digital business systems. The SEC rules raised awareness on this aspect of digital risk, and Crowdstrike helped too.

AI marketing executive and board member Caitlin Clark-Zigmond views the issue this way, “The greatest cybersecurity threat isn’t the next sophisticated attack—it’s the growing interconnectedness of our digital ecosystems. One company’s vulnerability is now everyone’s vulnerability. In 2025, systemic risk governance isn’t just about protecting your organization; it’s about safeguarding the entire digital economy.”

None of these developments is in and of itself, a breakthrough. Although together, they demonstrate that the status-quo has indeed changed. But even so, these are not revolutionary or radical developments in corporate governance — they are common sense and long overdue policies that are proven to work, and in many ways reflect the basics of effective corporate governance.

Elliott Franklin, CISO @ Fortitude-Re put it this way, “While AI and automation are reshaping the landscape, 2025 will remind us that the fundamentals remain paramount. Resilience through robust backup strategies, vulnerability management, and strong identity management will continue to be the backbone of effective cybersecurity and systemic risk governance.”

Get the basics right, and the rest will follow. The boardroom future is bright for digital, cybersecurity and systemic risk governance and for the companies whose boardrooms are high-performing parts of how their digital business systems create and protect value. Investors, and other stakeholders have reasons to celebrate, but the party is just starting.