cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tmekelburg1
Community Champion

Cybersecurity Expertise on the Board

A few news articles came out yesterday around the SEC's proposed rule changes, specifically section II. Proposed Amendments (E), on whether public companies will need to disclose if they have someone on their Board with cybersecurity expertise.

 

Proposed rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

The SEC Is About To Force CISOs Into America’s Boardrooms (forbes.com)  

 

For those that don't read the above links, 'cybersecurity expertise' is loosely defined as:

 

  • Whether the director has prior work experience in cybersecurity, including, for
    example, prior experience as an information security officer, security policy analyst,
    security auditor, security architect or engineer, security operations or incident
    response manager, or business continuity planner;
  • Whether the director has obtained a certification or degree in cybersecurity; and
  • Whether the director has knowledge, skills, or other background in cybersecurity,
    including, for example, in the areas of security policy and governance, risk
    management, security assessment, control evaluation, security architecture and
    engineering, security operations, incident handling, or business continuity planning.

There were also a few RFC's that I thought were interesting and might drive some further discussion here in the Community.

 

  1. Would proposed Item 407(j) disclosure provide information that investors would find useful? (Or if it would affect any decisions around using their services or products in your environment?)
  2. Would the Item 407(j) disclosure requirements have the unintended effect of undermining a company's cybersecurity defense efforts or otherwise impose undue burdens on companies?
  3. Should any public companies be excluded? (Shortened for brevity)
  4. And as always, any further thoughts from the Community on this issue. 
1 Reply
CISOScott
Community Champion

If the board makes any budgetary recommendations then I think it would be prudent to have cyber security representation on there. You don't want cybersecurity to be underfunded because it's necessity was not understood.