Securities and Exchange Commission Chair Gary Gensler said, "Whether a company loses a factory in a fire, or millions of files in a cybersecurity incident, it may be material to investors" upon adopting a new SEC rule on July 26, 2023, on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. This rule, referred to as the Sarbanes-Oxley for information security and data protection, will force cyber risk management from the server room to the board room and change the industry. Cybersecurity has been an IT function for decades, often thought of in hindsight after a data security or cyber incident without financial impacts on publicly traded companies in the form of material losses that would have regulatory, legal, or financial repercussions for organizations and their leadership. The new SEC rule will force an approach to duty-of-care obligations on reasonable cybersecurity standards that currently exist for directors and officers in other areas of corporate governance. Failure to comply with these rules will have severe career and financial impacts on executives.