Not registered? Create an Account
Forgot your password? Reset Password
By Viktoria Bakos | July 22, 2025
It’s time for boards and CISOs to face a hard truth: Cybersecurity is no longer just about preventing breaches. It’s about leadership, governance, and public trust.
Over the past two years, enforcement actions on both sides of the Atlantic have made it clear, regulators aren’t waiting for your network to be breached. They’re coming after how you talk about data, how you handle it, and whether your internal controls match your public claims.
You don’t have to get hacked to get fined anymore.
Let’s start with BetterHelp. In a groundbreaking case, the FTC charged the mental health app with deceptive practices—not for a breach, but for sharing sensitive user health data with advertisers after promising confidentiality (Gibson Dunn, 2024).
The outcome? A settlement that imposed financial penalties, mandated strict future controls, and required explicit user consent.
Key shift: The FTC expanded what counts as “deception” under consumer protection law. You can now be held liable for misleading your users—even if you haven’t had a data breach.
What this means for leadership: You need to scrutinize your privacy language and verify that your actual practices align. If your CISO, CMO, and legal counsel aren’t on the same page, you’re vulnerable.
Across the Atlantic, regulators aren’t holding back either. The Irish Data Protection Commission hit Meta with a €1.2 billion fine for violating GDPR rules on cross-border data transfers (Komnenic, 2024).
Meta had to suspend EU-to-U.S. data transfers and overhaul its processing operations. This wasn’t a slap on the wrist—it was a signal flare for the rest of the tech world.
Key takeaway: If your international data practices don’t align with GDPR standards (especially Article 44 on cross-border transfers), you’re not just risking fines. You’re risking your entire operational model in Europe.
For boards, that means: Don’t silo your compliance strategy. Make sure privacy, security, and international legal teams are working off the same map.
What’s even more telling is how the SEC has been pursuing companies for cybersecurity disclosure failures—even when a breach has occurred and been remediated.
In 2024–2025, enforcement actions against companies like Check Point, Avaya, and Ashford Inc. revealed a new SEC priority: accurate, timely, and complete disclosure of cyber incidents and risks (Holland & Knight, 2025).
This isn’t about incident response. It’s about governance.
New normal: The SEC sees incomplete or misleading cyber risk disclosures as violations of investor trust. That puts CISOs, CIOs, and boards on the hook—not just the IT department.
If you're still treating disclosures like boilerplate language, you're underestimating the reputational and legal risk.
Together, these cases paint a very clear picture:
As a board member or CISO, your role isn’t just to prevent technical failures—it’s to create a culture of transparency, accuracy, and ethical data handling.
Your organization should be asking:
We invite you to weigh in:
How are you embedding cybersecurity into your governance strategy?
🧩 What frameworks have helped you align board priorities with regulatory shifts?
What’s your take on balancing international compliance (like GDPR) with U.S.-based risk governance?
Drop your insights in the comments or tag someone who needs or is interested to join the conversation.
Gibson Dunn. (2024, January 29). U.S. cybersecurity and data privacy review and outlook — 2024. https://www.gibsondunn.com/wp-content/uploads/2024/01/us-cybersecurity-and-data-privacy-outlook-and-review-2024.pdf
Holland & Knight. (2025, July 3). The dust settles in SEC’s cybersecurity lawsuit against SolarWinds CISO. https://www.hklaw.com/en/insights/publications/2025/07/settlement-alert-the-dust-settles-in-secs-cybersecurity-lawsuit
Komnenic, M. (2024, February 1). 61 biggest GDPR fines & penalties so far [2024 update]. Termly. https://termly.io/resources/articles/biggest-gdpr-fines/
