A few news articles came out yesterday around the SEC's proposed rule changes, specifically section II. Proposed Amendments (E), on whether public companies will need to disclose if they have someone on their Board with cybersecurity expertise.

Proposed rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

The SEC Is About To Force CISOs Into America’s Boardrooms (forbes.com)  

For those that don't read the above links, 'cybersecurity expertise' is loosely defined as:

• Whether the director has prior work experience in cybersecurity, including, for
  example, prior experience as an information security officer, security policy analyst,
  security auditor, security architect or engineer, security operations or incident
  response manager, or business continuity planner;
• Whether the director has obtained a certification or degree in cybersecurity; and
• Whether the director has knowledge, skills, or other background in cybersecurity,
  including, for example, in the areas of security policy and governance, risk
  management, security assessment, control evaluation, security architecture and
  engineering, security operations, incident handling, or business continuity planning.

There were also a few RFC's that I thought were interesting and might drive some further discussion here in the Community.

1. Would proposed Item 407(j) disclosure provide information that investors would find useful? (Or if it would affect any decisions around using their services or products in your environment?)
2. Would the Item 407(j) disclosure requirements have the unintended effect of undermining a company's cybersecurity defense efforts or otherwise impose undue burdens on companies?
3. Should any public companies be excluded? (Shortened for brevity)
4. And as always, any further thoughts from the Community on this issue.