A year into theSEC’s cybersecurity disclosure rule, enterprises continue navigating new transparency and accountability requirements. While the rule aims to elevate cybersecurity as a boardroom priority, many organizations still grapple with the depth of changes required to meet these standards. Yet, as cybersecurity leaders Bob Zukis, Founder and CEO of Digital Directors Network, and Idan Fast, CTO and co-founder of Grip Security, suggest, compliance is only the beginning. Building true resilience demands that companies go beyond basic disclosure to establish meaningful, board-driven oversight that addresses the complex and interconnected risks inherent in today’s digital landscape. “The ultimate regulator in cybersecurity isn’t the SEC—it’s the hacker,” says Zukis, highlighting that resilience hinges on a proactive, board-level approach to risk that outpaces mere compliance. Listen in to the full discussion now:

‍

Year One of the SEC Cybersecurity Rule: How Did it Go?

The SEC rule takes a two-pronged approach, the first requiring organizations to disclose their broader risk management strategies and bring awareness at the leadership level. Zukis commented that organizations have improved their cybersecurity strategies, and the boardroom has heightened awareness about those tactics. However, the second piece of the rule is about disclosing incidents that have a material impact on investors. But despite this directive, Zukis cites widespread “deliberate non-compliance” in incident reporting. It’s not that companies aren’t filing reports but rather often stop short of providing details about the impacts of incidents, a reluctance that reflects the challenges many organizations face in embracing full transparency. “We’re seeing non-compliance on the incident disclosure side and more superficial compliance on the risk management side,” Zukis explains. He sees this as a wake-up call for companies to develop robust internal processes to assess materiality—an area that remains weak in many boardrooms today.

Defining Materiality

Defining the materiality of an incident under the SEC cybersecurity rule has been confusing for many organizations, particularly as it marks the first time the SEC’s materiality standard intersects with the technical complexities of cybersecurity incidents. Unlike some expectations for quantitative thresholds, the SEC’s approach relies on a more nuanced assessment: whether a reasonable investor would find the information, qualitatively or quantitatively, critical to making an informed investment decision. As Zukis explained, defining materiality has caused uncertainty, with some companies adopting incorrect or overly simplistic interpretations of what qualifies as material. Instead, the rule emphasizes a disclosure process grounded in transparency and accountability. Organizations must assess materiality on a case-by-case basis, monitor ongoing incidents, and continuously gather information to determine when disclosure is necessary. “If you think an incident is material to that investment decision, then you disclose. If you don’t think it’s material, don’t disclose it, but keep monitoring it, keep your incident response plan going, and gather more information until you’ve reached your threshold where it’s time to tell your investors about it. That’s really what the SEC is all about,” Zukis said. This maturation of internal processes is essential to meet regulatory requirements and deepen corporate understanding of how cybersecurity incidents ripple through digital business systems and impact stakeholders.  

Board-Level Cybersecurity Expertise

One significant shift that’s gained traction is the demand for expertise in the boardroom. Idan Fast notes that increased scrutiny from regulatory bodies has heightened boardroom awareness, pushing companies to enhance reporting structures and empower board members with a deeper understanding of cybersecurity. Yet, Zukis warns that many boardrooms still lack the specialized knowledge needed to ask tough questions about systemic risk.

“We don’t send plumbers to do dental work,” Zukis states, underscoring the need for qualified cybersecurity experts in corporate governance. According to Zukis, “This isn’t amateur hour… Board oversight must be informed by genuine expertise to drive effective risk management.”

Systemic Risk: A Growing Blind Spot

Both Zukis and Fast caution that the complexities of today’s technology ecosystems introduce an underappreciated risk: systemic vulnerabilities. With 85% of SaaS applications and 91% of AI tools flying under IT’s radar, Fast warns that SaaS dependence and shadow IT have rendered traditional security programs ineffective in many respects.

“Systemic risk isn’t about isolated incidents; it’s about interconnected vulnerabilities that could impact entire systems,” explains Zukis, citing examples like SolarWinds and CrowdStrike. Similarly, the Microsoft Midnight Blizzard attack demonstrated how the breach of a forgotten test account escalated into a sophisticated operation, compromising sensitive data from the emails of Microsoft’s top executives—an example of how zombie accounts can amplify security risks if not identified and addressed. “It’s an indicator of the expanding complexity of systems and the expanding difficulty of understanding the risk environment that can create damage throughout the system,” noted Zukis. Fast agreed adding, “It’s not surprising that we’re seeing more and more risk emerge from the usage of software in a SaaS model either. And I think traditionally it was sort of a siloed approach where organizations thought, ‘Oh, we’ll set up a SaaS security program,’ and I think over time, people are now realizing that SaaS is more systemic across the entire business.”

What’s Next? Anticipating the Future of Systemic Risk Governance

As organizations look to the future of systemic risk governance, it’s clear that the key to meaningful progress lies in strengthening board-level oversight. According to Zukis, this requires building a system of governance that equips boards with the expertise, skills, and structure to grasp and address today’s complex risk landscape fully. Strengthening leadership as a control doesn’t just improve cybersecurity—it has a ripple effect, fortifying all other organizational controls. “The evidence shows that when we strengthen the board as a control, companies reduce their risk and drive more business value,” Zukis asserts. He believes this approach is no longer optional but essential for enterprises that aim to lead.

And what about the impact of the new U.S. administration on cybersecurity governance?  

Fast believes we’ll see a widening divide between the US and Europe regarding innovation. As he observes, stricter privacy laws in Europe, such as GDPR, have already stifled innovation in certain sectors, a trend that could accelerate if regulatory disparities grow. U.S.-based companies have had fewer government mandates, but we may see that change with the new administration.  

Yet, as Zukis points out, the ultimate regulator remains the hacker. Whether or not government enforcement is strong, companies that fail to address systemic risks and adopt leading practices will face the consequences—whether through financial losses, reputational damage, or increased vulnerability. “The risk environment isn’t going to change; it’s going to get worse,” Zukis warns.  

While the SEC rule has certainly put cybersecurity on the boardroom agenda, both Zukis and Fast conclude that awareness is only the first step. True resilience calls for a culture shift, where organizations prioritize systemic risk governance and transparency, plus the expertise to anticipate—and not merely react to—the next wave of cyber threats.

Additional Resources

2025 SaaS Security Risks Report

SEC Cybersecurity Disclosure Requirements Cheat Sheet

‍