It is no surprise to anyone who serves on the board of directors of any publicly listed or large not-for-profit organization that the job is a lot more challenging today than it was 25 years ago. The call for greater disclosure of climate change and equity, diversity, and inclusion strategies has added to the perennial conversation on executive compensation and other mainstream governance issues. While all of these challenges give rise to disclosure-related risks, one challenge represents an existential risk to every organization and therefore every board director—the risk of a cyberattack.

And now in 2023, in the wake of the introduction of sweeping regulations by governments and regulatory authorities alike, board directors must now initiate immediate action to respond or risk very significant civil and potentially criminal prosecutions. Plainly stated, board directors have been given notice and fair warning. Woe to those who decide to lay low and hope that these changes will blow over or be watered down. Given the pace and the role that digital innovation has in every walk of our lives and our businesses, cyber risk will lay to waste those that decide to follow the words of poet Thomas Grey, who first coined the phrase “Where ignorance is bliss, T’is folly to be wise.”

Setting the Stage