I think any data breach case can be defended if there is a good faith attempt to secure the data. Every booard of directors should be aware of potential vulnerabilities. In some cases your insurance company can steer you to one of the better vendors. Always use a third party vendor that is highly rated and understand what type of protection you atr buying. Certainly you want your protection to evolve as the hackers get more and more sophisticated.

i believe, Industry sensitve, it is Management’s responsibility to advise a BOD of steps Management is taking to be Cyber aware, responsive, and defensive as regards to all of the Company’s normally, and fairly anticipatory cyber exposures. A good Management team and an involved progressive BOD should work together to have action plans and emergency reactive actions ready for any predictable threat or breach across the spectrum of the Company’s exposures, and an emergency “lock down “ program and action plan for those that are not.
But the initiative is Managment’s responsibility to a BOD.

Anticipate?  As far as this means "expect more laws about privacy protections", I think they should, yes.  If by this you mean "expect changes, put methods and controls in place to protect individual privacy", also, yes; specifically and especially if they have not already.  I think the BoD needs to lead the way and ensure these changes are implemented, or they will face individual liability consequences like willful negligence accusations.

I also think that in general if a company has controls in place and is following the OECD principles, is working on compliance with GDPR right now and has an incident response/breach reporting process in place with active pre-event policy enforcement, I think that such companies should be very, very close to whatever changes might be forthcoming.

I think Board should deduce standards from their previous actions, and put in place additional protections without waiting for explicit guidance to come out