A few news articles came out yesterday around the SEC's proposed rule changes, specifically section II. Proposed Amendments (E), on whether public companies will need to disclose if they have someone on their Board with cybersecurity expertise.
For those that don't read the above links, 'cybersecurity expertise' is loosely defined as:
Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
Whether the director has obtained a certification or degree in cybersecurity; and
Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.
There were also a few RFC's that I thought were interesting and might drive some further discussion here in the Community.
Would proposed Item 407(j) disclosure provide information that investors would find useful? (Or if it would affect any decisions around using their services or products in your environment?)
Would the Item 407(j) disclosure requirements have the unintended effect of undermining a company's cybersecurity defense efforts or otherwise impose undue burdens on companies?
Should any public companies be excluded? (Shortened for brevity)
And as always, any further thoughts from the Community on this issue.
If the board makes any budgetary recommendations then I think it would be prudent to have cyber security representation on there. You don't want cybersecurity to be underfunded because it's necessity was not understood.