Last month, the Securities and Exchange Commission proposed some new guidelines to promote better cybersecurity governance amongst public companies. They make for interesting reading, particularly in one area where the SEC is trying to track the level of cyber expertise on the boards of directors of these companies. They ask that companies disclose whether “any director has prior work experience in cybersecurity,” which includes a fairly broad range including if someone has been a CISO or has had any position that mentions security in its title, had any cyber certifications, or has specific cyber knowledge.
Now, just the way this is worded in the proposed rulemaking makes me very skeptical. My first impression is that anyone who admits to satisfying these criteria to the SEC will paint a target on their backs and will be blamed for any future threat or exploit. Then, what if I took an exam (like a CSSP or Security+) and didn’t pass? I still have some cyber knowledge. Does this mean I still have to disclose to the SEC?
The wording of the qualifications also implies (at least to me) that just about any Computer Science grad would probably have taken some infosec training (hope springs eternal) and would need to disclose this. I am not sure this satisfies the SEC’s intention.
But let’s get to the meat of the matter and address two important questions.
First, will these proposed rules motivate firms to hire any effective cyber experts as board members? My guess is probably not. At best, boards meet quarterly, and what is a board member supposed to do in between meetings if something is awry? Does this mean a CISO has a shadow reporting relationship to the cyber-aware board member? That is not a recipe for good corporate governance.
Here is a thought. A few years ago, I developed (somewhat tongue-in-cheek) a cybersec quiz that you can give your boss. It is easily repurposed for vetting your potential cyber-friendly board members, if you can get them to answer the questions truthfully. You may want to use that as a screening tool if you are going to expand your board of directors, or if you are going to have a separate “technical advisory board” that could be useful in directing your future digital and cybersec policies. (I have served in this capacity, BTW.)
Second, will having this kind of expertise make a difference in terms of better breach response? One of the other proposed rules by the SEC is to mandate a four-day turnaround period once a breach has been determined. That is probably more important than anything else in these proposed rules, especially as most firms have a culture of hiding a breach for as long as they can get away with it. How this turnaround period is measured isn’t really well defined either.
If you want to submit a comment before 5/22/23 on File No: S7-04-22, go to this page on the SEC’s website, scroll down the page and find this file number to bring up the appropriate form.