The fact that legislators and regulators widely consider cybersecurity to be a risk management issue rather than a compliance exercise is a good news, bad news story.
On the upside, in the absence of clear legal or contractual obligations, cybersecurity generally dismisses checklist requirements (which may have little to no applied value) in favor of informed judgments. There are choices. The downside of enjoying this flexibility, however, is the second-guessing that invariably begins should something go wrong: what could have been done to prevent the incident, and was it reasonable not to have done so?