Enterprise Risk
Cybersecurity Board Oversight Is Still Broken, Gartner Data Shows
In June 2026, Gartner analyst Sam Olyaei stood in front of a room of security executives at the Security & Risk Management Summit and compared boardroom cybersecurity oversight to renewing car insurance: a checklist item nobody enjoys, filed away and forgotten until something breaks. Ten years ago, that comparison would have been unremarkable. In 2026, it’s a problem, because the data now shows boards are paying attention. They just aren’t acting on what they hear.
That’s the uncomfortable core of this year’s cybersecurity board oversight story. Ninety three percent of board members now agree cyber risk threatens shareholder value. Ninety eight percent expect the threat to grow within two years. And yet only 29% of directors describe the cybersecurity updates they receive from their CISO as “very effective.” Something is breaking down between recognition and response, and the gap is costing companies real money, real fines, and in at least one case this year, a CEO’s job.
Table of Contents
- The trillion dollar number everyone misquotes
- What a breach actually costs in 2025 and 2026
- The boardroom paradox: 93% concern, 15% influence
- How companies are routing around SEC disclosure rules
- Coupang: what governance failure actually looks like
- The fix Gartner is pushing: talk balance sheets, not firewalls
- FAQ
The Trillion Dollar Number Everyone Misquotes
Start with the number that shows up in nearly every cybersecurity pitch deck: $10.5 trillion. That figure comes from Cybersecurity Ventures, which projected global cybercrime damages would hit $10.5 trillion by 2025. It first appeared in the firm’s 2016 “Hackerpocalypse” report and has been recycled in thousands of vendor blogs and conference keynotes since, usually presented as a live 2026 statistic. It isn’t. It’s a 2025 projection, and the firm behind it has quietly revised its own math.
Founder Steve Morgan has started publicly correcting the record. Other outlets, he says, kept applying his firm’s older 15% annual growth rate to produce headline-grabbing but unsustainable numbers, like claims of $23 trillion by 2027. Cybersecurity Ventures now projects a much slower climb, expecting cybercrime costs to plateau at roughly 2.5% annual growth through 2031, reaching $12.2 trillion rather than the runaway trajectory bloggers have assumed.
That distinction matters because it sets the tone for everything downstream. Cybersecurity board oversight built on an inflated, unaudited headline number invites the exact dismissal Olyaei described: another scary statistic, filed and forgotten.
What a Breach Actually Costs in 2025 and 2026
The more useful number for board decks comes from IBM’s Cost of a Data Breach Report 2025, built with the Ponemon Institute from 600 breached organizations surveyed between March 2024 and February 2025. The global average breach cost fell to $4.44 million, down 9% year over year, the first decline in five years. IBM credits AI-accelerated detection and containment for the drop.
The U.S. number moved the opposite direction. American companies paid a record $10.22 million per breach on average, up 9%, driven by regulatory penalties and slower detection timelines. Read those two numbers side by side and a pattern emerges: AI is helping companies find and contain breaches faster almost everywhere, but in the U.S., the cost of getting caught by regulators is rising faster than the cost of the breach itself. That’s a board conversation about legal exposure and disclosure strategy, not just a security operations metric.
The Boardroom Paradox: 93% Concern, 15% Influence
Here’s where cybersecurity board oversight gets genuinely strange. At Gartner’s 2026 Security & Risk Management Summit, analysts presented survey data showing 93% of board members agree cyber risk threatens shareholder value, and 98% expect that threat to grow within two years. Nobody in the room needed convincing that cybersecurity matters.
“How many of you get excited when your annual car insurance premiums come up for renewal? That is how the board has viewed cybersecurity. It’s a regulatory thing. It’s a checklist. It’s an attestation.”
Sam Olyaei, Managing Vice President, Gartner, Security & Risk Management Summit 2026 (TechTarget)
The disconnect shows up hardest in a separate 2026 CISO-Board Engagement Report from IANS Research, Artico Search, and The CAP Group, which surveyed board directors alongside 663 CISOs. Just 15% of CISOs say they help shape company strategy. Ninety five percent brief their boards regularly, more than triple the rate from a decade ago, when only about a quarter of CISOs presented directly to the board at all. But frequency isn’t the same as effectiveness. Only 29% of directors call the reporting they get “very effective,” while 53% land on “somewhat effective,” a polite way of saying it’s not landing.
“Many of the reports that I review are actually structured around cybersecurity, not around the business.”
Tom Scholtz, Analyst, Gartner, Security & Risk Management Summit 2026 (TechTarget)
Worth asking here: is the “boards ignore cybersecurity” narrative actually outdated? The access data says yes. Board attention has never been higher. What hasn’t caught up is the format that attention comes in. CISOs are still walking in with patch counts and mean-time-to-detect charts when the room wants to know what a breach does to next quarter’s earnings.
How Companies Are Routing Around SEC Disclosure Rules
Since December 18, 2023, SEC Item 1.05 has required public companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality, alongside annual 10-K disclosures of how the board oversees cyber risk. Two and a half years in, the filing data tells its own story about board-level risk appetite.
| Disclosure track | Filings since Dec 2023 | What it signals |
|---|---|---|
| Item 1.05 (mandatory, material) | 29 issuers | Company determined the incident was material and disclosed accordingly |
| Item 8.01 (voluntary, non-material) | 50 issuers | Company disclosed without a formal materiality finding |
Data from the Debevoise Data Blog’s tracker, cross-checked against SEC EDGAR, shows more companies are choosing the voluntary path than the mandatory one, and most Item 8.01 filings never graduate into a materiality determination at all. Read charitably, that reflects genuine uncertainty about where the materiality line sits. Read less charitably, it looks like boards and general counsel finding a way to disclose just enough to look responsive without triggering the harder four-day mandatory clock. Either way, it’s the SEC filing record making the same point the Gartner survey data makes: boards know the rules exist, and they’re managing around the edges of them rather than building a system that makes the question moot.
Coupang: What Governance Failure Actually Looks Like
If you want the concrete version of “IT line item” thinking gone wrong, look at Coupang, South Korea’s largest e-commerce platform. A former employee left the company in late 2024 without having their cryptographic signing keys revoked. Between June and November 2025, that person used those still-active keys to access roughly 33.7 million customer accounts. Nobody noticed for nearly five months.
Coupang disclosed the breach publicly on December 1, 2025. Co-CEO Park Dae-jun resigned nine days later. South Korea’s Personal Information Protection Commission fined the company 624.68 billion won, about $456 million, on June 11, 2026, a record penalty that regulators explicitly attributed to “a management problem” rather than a sophisticated attack. Roughly 1.2% of the company’s 2025 revenue, in a single fine, for something as basic as offboarding.
That’s the piece easy to miss in trillion-dollar headline coverage: the failure that cost Coupang its CEO and nine figures wasn’t a novel AI-powered attack. It was an access-control checklist item nobody closed out. No amount of board-level financial-risk framing fixes that if the operational basics underneath aren’t handled, which is the honest limitation of every governance-reform pitch, including this one.
The Fix Gartner Is Pushing: Talk Balance Sheets, Not Firewalls
Gartner’s practical answer to the reporting-effectiveness gap is a reframing exercise: present cybersecurity to the board the way a CFO presents financial statements, not the way a SOC analyst presents an incident log. Translate detection and response capability into something closer to a balance sheet. Translate risk exposure into something closer to a cash-flow statement. The goal is a deck a board member without a security background can act on in the room, not one they nod through and forget.
It’s a low-cost fix by enterprise standards, and it’s the one lever CISOs actually control. They can’t single-handedly close the SEC filing gap or force a plateau in cybercrime cost growth. They can change what’s on the slide. Our read: the CISOs who adopt this framing first will be the ones who show up on the 15% “shapes strategy” side of the IANS data instead of the 85% who don’t.
The WEF Global Cybersecurity Outlook 2026, produced with Accenture from responses across 804 executives in 92 countries, adds another wrinkle worth watching: only 16% of organizations running industrial or operational technology environments report OT security issues to their boards at all, and just 20% maintain a dedicated OT security team. If IT risk reporting is inconsistent, OT risk reporting is close to absent, and that’s a blind spot that scales badly for any manufacturer or utility reading this.
What to watch over the next 6 to 18 months
- Whether the 29-versus-50 SEC filing gap narrows or widens as enforcement scrutiny increases, following the SEC’s 2024 actions against four companies over materiality gamesmanship.
- Whether more CISOs adopt Gartner’s financial-statement reporting model, and whether the 15% “shapes strategy” figure moves in next year’s IANS survey.
- Whether OT security reporting to boards rises off its current 16% baseline as regulatory pressure from frameworks like the EU Cyber Resilience Act pushes industrial risk into the same disclosure conversation as IT risk.
Regulatory pressure is already compounding the problem for companies running both IT and connected-device fleets. NeuralWired covered the compliance mechanics in our EU Cyber Resilience Act IoT deadline explainer, and the parallel between the Coupang fine and the fines detailed in our GDPR AI compliance fines roundup is hard to miss: regulators on both sides of the Pacific are converging on the same message, boards own this risk now, penalties included. For a real-world example of how fast an AI-enabled failure becomes a board problem, our writeup of the Arup deepfake fraud case is worth a read alongside this one.
FAQ
Do boards think cybersecurity is a business risk?
Yes. Gartner data presented at its 2026 Security & Risk Management Summit found 93% of board members agree cyber risk threatens shareholder value, but most CISO reporting is still structured around technical metrics rather than business outcomes, which is where the disconnect starts.
How much does cybercrime cost the world in 2026?
Cybersecurity Ventures projected global cybercrime damages would reach $10.5 trillion by 2025, with costs plateauing toward $12.2 trillion by 2031 at roughly 2.5% annual growth, down from the 15% pace assumed in earlier forecasts. Treat it as a directional estimate, not an audited total.
What is the average cost of a data breach in 2025?
IBM’s 2025 Cost of a Data Breach Report found the global average breach cost fell to $4.44 million, a 9% decline credited to AI-accelerated detection, while the U.S. average rose to a record $10.22 million, driven by regulatory penalties and slower detection.
Do SEC rules require companies to disclose cyberattacks?
Yes. Since December 18, 2023, SEC Item 1.05 requires public companies to disclose material cybersecurity incidents on Form 8-K within four business days of a materiality determination, plus annual board-oversight disclosures on Form 10-K.
The Takeaway
Cybersecurity board oversight in 2026 isn’t failing because boards don’t care. The Gartner and IANS data both show the opposite: attention is at an all-time high, and 95% of CISOs now brief their boards regularly, up from roughly a quarter a decade ago. What’s failing is the translation layer, the gap between “93% agree this threatens shareholder value” and “only 15% of CISOs shape strategy.” Coupang shows what happens when that gap meets a basic operational lapse: a $456 million fine and a resigned CEO, for an unrevoked set of keys.
The fix on the table right now, reporting cybersecurity in the language of business risk instead of technical metrics, is neither expensive nor complicated. It’s just not yet standard practice. Watch the next round of SEC filings, the next IANS board-engagement survey, and whether OT security reporting starts climbing off its current 16% floor. Those three numbers will tell you whether 2026 was the year the gap started closing, or just the year it got measured more precisely.
Want the next governance and enterprise-risk story before it hits your feed? Subscribe to The Neural Loop at neuralwired.com/newsletter.
