Four Questions Boards Now Ask Security Leaders

Four Questions Boards Now Ask Security Leaders — And Where Most CSOs Lose the Room Defending the Standing They Spent a Decade Building

Where board-level cyber oversight now lives operationally in 2026 across U.S., UK, EU and Asian regulated jurisdictions, and what the documented research from EY, Trend Micro and Gartner says about why the credibility gap costs CSOs their position.

Where board cyber oversight now lives operationally

The shift in board-level scrutiny of cyber risk is not a sentiment change. It is a structural one driven by converging regulatory frameworks across the jurisdictions where regulated crypto-native, fintech, iGaming and payments operators are licensed. In the United States, the SEC’s cybersecurity disclosure rules (effective since the 2023 reporting cycle) require public companies to disclose material cybersecurity incidents within four business days on Form 8-K and to disclose annually on Form 10-K how the board oversees cybersecurity risk. The New York Department of Financial Services finalized the Second Amendment to 23 NYCRR Part 500 on November 1, 2023, with phased compliance reaching its final stage on November 1, 2025 (when multi-factor authentication and asset-inventory requirements took effect). Covered entities must file an annual certification signed jointly by the CEO and CISO by April 15 each year under Section 500.17(b); the April 15, 2026 certification is the first under the fully phased Second Amendment, covering calendar year 2025.

In the European Union, the Digital Operational Resilience Act (DORA) became fully applicable on January 17, 2025, imposing ICT risk management, incident classification and reporting, third-party ICT provider oversight (Articles 28 to 44), and resilience testing requirements on financial entities including crypto-asset service providers. NIS 2 (Directive 2022/2555) entered national transposition across EU member states with senior managers held personally liable for infringements under Article 20. The new Anti-Money Laundering Authority (AMLA) became operational in July 2025 with direct supervision of high-risk cross-border financial entities under a single rulebook. The General Data Protection Regulation (GDPR) Article 33 requires personal-data breach notification to the supervisory authority within 72 hours.

In the United Kingdom, the Financial Conduct Authority’s Principle 11 requires firms to deal with the FCA in an open and cooperative way and to disclose appropriately anything relating to the firm of which the FCA would reasonably expect notice. The FCA Cyber Resilience Questionnaire and the SYSC 13 governance requirements apply to authorized firms. The UK’s “failure to prevent fraud” offense expands corporate accountability and is expected to produce its first high-profile prosecutions in 2026. The Bank of England, the Prudential Regulation Authority and the NCSC operate parallel guidance for critical sectors.

In Germany, BaFin requires BAIT-compliant ICT risk management for supervised entities, and the BSI (Federal Office for Information Security) operates the IT-Sicherheitsgesetz and KRITIS framework with mandatory incident reporting for critical infrastructure. The collaboration between ISA and BSI produced a German edition of the Cyber-Risk Oversight Handbook in 2024. Across the eurozone, AMLA convergence and DORA harmonization replace the previous patchwork of national interpretations with a single rulebook posture.

Across these jurisdictions, the published research is unambiguous about what is happening inside boardrooms. The Trend Micro CISO Credibility Gap report — conducted by Sapio Research across 2,600 IT leaders in LATAM, North America, Europe and the Middle East — documented that 79 percent of CISOs reported boardroom pressure to downplay severity; 43 percent said they were perceived as nagging or repetitive; 42 percent as overly negative; 34 percent reported being dismissed out of hand. EY’s 2024 analysis of Fortune 100 cybersecurity disclosures (79 companies that filed proxies and 10-Ks through May 31, 2024) found that 72 percent now disclose cybersecurity as an area of expertise sought on the board (vs. 19 percent in 2018), 71 percent disclose cybersecurity in at least one director biography, 95 percent include language about frequency of management reporting to the board, 70 percent specifically mention the CISO (vs. 28 percent in 2022), 47 percent now report performing simulations or tabletop exercises (vs. 3 percent in 2018), and 57 percent report at least annual or quarterly dedicated board time on cyber. Gartner’s 2024 Board of Directors Survey found that 84 percent of directors now identify cybersecurity as a business risk. The National Association of Corporate Directors and the Internet Security Alliance issued the fourth edition of the Director’s Handbook on Cyber-Risk Oversight in March 2023 (with the European Confederation of Director Associations and ISA releasing the second edition of the European Handbook in 2024, and ISA + BSI publishing the German Handbook in 2024). A fifth U.S. edition is reportedly in development with DHS and FBI input but not yet published. The framework boards now use to question security leaders is documented and converging across jurisdictions.

Four questions security leaders now face from regulated-sector boards

The four questions below are framed in the language regulated-sector boards now use in 2026. Each is testable against a security leader’s ability to defend their standing in their next board meeting, regardless of whether the entity is supervised by NYDFS, the SEC, the FCA, BaFin, the Central Bank of Ireland, AFM, the Malta Financial Services Authority, the Spanish CNMV, AMLA at the EU level, or multiple of these simultaneously. Each one anchors to specific frameworks the security leader’s regulators and external auditors are themselves working from.

1. What does our next cybersecurity incident cost us, and how do we know?

Boards are now asking this because they are required to. The SEC requires disclosure of material cybersecurity incidents on Form 8-K within four business days of materiality determination. DORA Article 18 requires major ICT-related incident classification and reporting. NIS 2 Article 23 requires early warning, intermediate report and final report on significant incidents. The board needs to know what “material” means for this entity, in financial terms, before the incident occurs. The CISO who can answer “here is our exposure quantified in EUR or GBP or USD, here is the methodology, here is the threshold at which our disclosure obligations trigger, here is how that maps to the FCA Principle 11 framework / DORA classification / SEC materiality determination” holds the room. The CISO who answers in qualitative terms — “high risk,” “significant exposure” — does not. EY’s 2024 data showed 87 percent of Fortune 100 companies now disclose engagement of independent external advisors for cyber oversight, more than doubling from 43 percent in 2023; one third of CISOs in the Trend Micro Sapio Research study reported being dismissed out of hand precisely because their risk communication did not connect to board capital-allocation frameworks.

2. Who does what in the first 72 hours after an incident, and what slows the clock?

Multiple regulatory frameworks now converge on the 72-hour window for incident notification. GDPR Article 33 requires notification of personal-data breaches to the supervisory authority within 72 hours of awareness. DORA Article 19 requires major ICT-related incident reporting within timelines specified by ESA technical standards. NYDFS Part 500.17(a) requires notification to the Department no later than 72 hours after determining a cybersecurity incident has occurred (with a 24-hour window for ransomware or extortion payments). The UK FCA expects firms to inform the regulator promptly under Principle 11. The board does not want a generic incident response plan. The board wants to know specifically who calls the regulator, who authorizes external counsel, who authorizes the public statement, who authorizes ransom decisions, who briefs whom, and what is the documented and tested escalation timeline in hours. Recent NYDFS enforcement against Gemini Trust ($37 million in 2024) and Block, Inc. ($40 million in 2025) made visible what regulators consider unacceptable on this dimension. Trend Micro’s research showed 80 percent of boards reported acting decisively on cyber only after a breach — indicating that boards are now particularly attentive to whether the pre-incident plan is real, tested and documented. EY’s 2024 analysis found 47 percent of Fortune 100 companies now disclose performing simulations or tabletop exercises, up from just 3 percent in 2018; the trend line is steep precisely because boards now ask.

3. Which third-party dependency could take us down with them?

Third-party risk has moved from compliance topic to board-level governance question. The SEC’s cybersecurity disclosure rules require disclosure of third-party service provider incidents that are material to the company. DORA dedicates Articles 28 through 44 specifically to ICT third-party risk management, including the concept of critical ICT third-party service providers subject to direct supervisory oversight. NIS 2 Article 21 specifically addresses supply chain security. NYDFS Part 500.11 requires risk-based third-party service provider security policies and procedures; the $37 million Gemini Trust fine in 2024 specifically referenced Section 500.11 failures around oversight of a third-party lending partner. The FCA’s SS2/21 expectations on operational resilience extend to outsourced services. The 2025 Verizon Data Breach Investigations Report found that third-party involvement in breaches doubled to 30 percent globally. Coinbase’s disclosed third-party customer-support breach in May 2025 — estimated $180 to $400 million in remediation costs per the company’s 8-K filing, with arrests following in India in December 2025 — became the operational reference case across boardrooms. The CISO who can name, by service, the three vendors whose failure would trigger a material disclosure, and demonstrate the contractual, operational and substitution controls in place for each, holds the room. The CISO who cannot does not.

4. What will regulators ask us six months from now that we cannot answer today?

Boards now ask this because they want forward visibility, not retrospective reassurance. In 2026, the question is concrete. By April 15, 2026, NYDFS-covered entities must file the first annual certification under the fully phased Part 500 Second Amendment, signed jointly by the highest-ranking executive and the CISO, supported by evidence sufficient to demonstrate compliance with the requirements that took effect November 1, 2025 (multi-factor authentication; asset inventory) along with everything that came before. DORA is fully applicable. The EU AMLR 2024/1624 reaches full enforceability across the first half of 2026 under AMLA supervision. The U.S. GENIUS Act of July 18, 2025 established federal stablecoin licensing under OCC supervision. The UK Financial Conduct Authority continues to expand its cyber resilience expectations. The board is asking the CISO whether the entity will pass these checkpoints. The CISO who can present a forward calendar mapped to specific regulatory dates with specific gap-closure milestones and named accountable executives holds the room. The CISO who answers with framework alignment in the abstract does not. The board, increasingly, has the framework knowledge to detect the difference.

The four read as a single test of standing

The four questions read together describe what regulated-sector boards now expect security leaders to deliver. Cost-quantified materiality. Documented, tested incident response timelines. Named third-party concentration risk with substitution controls. Forward regulatory calendar with gap-closure milestones. The CISO who can answer all four in board language holds and extends their standing. The CISO who can answer two does not. Trend Micro’s Sapio Research data on 2,600 IT leaders found 46 percent reported higher credibility when they were able to measure the business value of their cybersecurity strategy; the inverse is also true. The credibility gap is not personal. It is structural — between the language boards now use and the language some security leaders still use. The four questions are the bridge.

Closing

Boards in 2026 are operating with materially more cyber-risk fluency than they had three years ago, driven by SEC disclosure rules, NYDFS Part 500 Second Amendment full phase-in, DORA full applicability, NIS 2 transposition, AMLA operationalization, FCA Principle 11 expectations and a wave of enforcement actions making the cost of unanswered questions concrete. The CISOs and Heads of Security who treat their next board meeting as an opportunity to answer the four questions above — in the regulator’s language, with documented evidence — are compounding their standing. Those who do not are watching boards bring in advisors who will. EY’s 2024 data showed external-advisor disclosures more than doubled in one year. The trajectory is visible. The four questions above are where the trajectory crosses the next board meeting.

If you are preparing for your next board cyber discussion and want to walk through how these four questions land against your operation across the jurisdictions where you are supervised, the Toeshee team is available for a 30-minute conversation. Request: operations@toeshee.io

We power user trust in Web3, one interaction at a time.

Crypto-native. Compliance-built.

ABOUT TOESHEE

Toeshee is the Web3-dedicated division of The Center Source Group, delivering crypto-native customer support infrastructure for exchanges, crypto payment processors, iGaming, fintech and DeFi operators in regulated jurisdictions across the U.S., UK and EU. We work behind the curtain — integrating into client-defined workflows under environmental and identity-assurance controls applied to the support workspace itself, executing customer experience, trust-and-safety, technical support, risk-operations and security-compliance functions to the disciplines our clients are themselves accountable for under their applicable supervisory frameworks.

References available on request. This analysis draws on Trend Micro’s CISO Credibility Gap report (Sapio Research, 2,600 IT leaders in LATAM, North America, Europe and the Middle East, 2024); EY Center for Board Matters Cybersecurity Oversight Disclosures: What Companies Shared in 2024 (Fortune 100 companies that filed Form 10-Ks and proxy statements through May 31, 2024); the Gartner 2024 Board of Directors Survey; the NACD-ISA Director’s Handbook on Cyber-Risk Oversight (4th edition, March 2023); the ecoDa-ISA Handbook for European Corporate Boards (2nd edition, 2024); the ISA-BSI German Handbook on Cyber-Risk Oversight (2024); SEC cybersecurity disclosure rules (effective 2023 reporting cycle); 23 NYCRR Part 500 Second Amendment (finalized November 1, 2023; full phase-in November 1, 2025; first fully phased annual certification due April 15, 2026) and related NYDFS enforcement actions against Gemini Trust ($37 million, 2024) and Block, Inc. ($40 million, 2025); the EU Digital Operational Resilience Act (DORA, fully applicable January 17, 2025); NIS 2 Directive 2022/2555; the EU Anti-Money Laundering Regulation 2024/1624 and AMLA operationalization July 2025; the UK FCA Principle 11 and SYSC 13; BaFin BAIT and BSI KRITIS frameworks; GDPR Article 33; the Verizon 2025 Data Breach Investigations Report; and Coinbase’s May 15, 2025 SEC 8-K filing disclosing the third-party customer-support breach. All metrics cited trace to documented primary sources.

Prepared by Patricia Torres Cabarcas  —  Senior Growth & Positioning Consultant