SEC rules now require board-level cybersecurity disclosure. Here's what to actually track.
Since 2024, public companies must disclose material cybersecurity incidents within 4 business days and describe board oversight of cyber risk annually.
Board dashboard should include: security posture score (aggregate risk), open critical vulnerabilities (count + age), incident history (last 12 months), security investment as % of IT budget (benchmark: 10-15%), insurance coverage vs. estimated breach cost, and compliance status (SOC 2, ISO 27001, etc.).
Like this analysis?
Get the weekly engineering economics briefing — one email, every Monday.
Subscribe Free →Most boards delegate technology oversight entirely to the CTO. That's a governance failure.
9 minCompanies with technology committees make better acquisition, architecture, and investment decisions.
8 minAI creates new liability categories that traditional governance frameworks don't cover.
11 minPublished Work
This article expands on ideas from my published work in CIO.com, Built In, Mind the Product, and HackerNoon. View published articles →
The Product Economist — Quantifying engineering economics for technology leaders, PE firms, and boards.