• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us
Cybersecurity experience disclosure

SEC Proposed Rule Could Add Cybersecurity to the Boardroom

March 21, 2022 Posted by Julia Muccini Cybersecurity, IT Security

Cybersecurity Experience Disclosure

On March 9th, 2022, the Security and Exchanges Commission (SEC) issued several proposed amendments that could have a big impact on businesses. One of the more surprising amendments is Amend Item 407(j) of Regulation S-K: “require disclosure about if any member of the registrant’s board of directors has cybersecurity experience”[1]. This would require businesses to disclose on annual reports, annual meeting proxy statements and information statements on Schedule 14C if any of their board members have previous cybersecurity experience including the names of any such director(s) and any details necessary to fully describe their expertise. While the amendment doesn’t specifically state what would qualify as “cybersecurity experience” it does give some examples such as prior work experience, certifications, degrees related to cybersecurity or other background in cybersecurity. The SEC notes that companies could respond to this proposed rule by adding a board member or staff to their management team with cybersecurity experience, although it would not be required. This addition could provide the board with more oversight and help them identify and manage cybersecurity risks. Having a member with cybersecurity experience could also help persuade the other board members to allocate more resources to cybersecurity including devising, implementing and improving their policies and procedures. Another idea the SEC gives is for companies to hire a Chief Information Security Officer (CISO) to help manage cybersecurity, although again this exact title would not be required.

Giving IT and Security Leaders a Seat at the Table

While this may seem like an unusual disclosure, statistics show that the number of Boardrooms that include members with a cybersecurity background is extremely low. In April 2021, research and consulting firm Gartner conducted a survey of 615 respondents across the world with over 100 employees and $50 million in total annual revenue and found that 88% of Boards of Directors view cybersecurity as a business risk, yet only 12% of them have a dedicated board-level cybersecurity committee[2]. Paul Proctor, Chief of Research for Risk and Security at Gartner said about the statistic: “IT and security leaders are often considered the ultimate authorities for protecting the enterprise from threat. Yet, business leaders make decisions every day, without consulting the CIO or CISO, that impact the organization’s security”. Adding a board member with cybersecurity experience could help close that gap.

Disclosure also Protects these Cybersecurity Board Members from Increased Liability

It’s also important to note that the board member with cybersecurity experience would not be liable if there were to be a breach or security incident. The amendment proposes a “safe harbor” for the member so that they would not have any duties, obligations, or liabilities that are greater than those of any other board member. The member would also not be deemed an expert for any purposes including, for purposes of Section 11 of the Securities Act. The goal for this amendment is to increase board oversight of cybersecurity as well as having the board member with cybersecurity experience work with the rest of the Board to make business decisions with cybersecurity in mind.

The comment period for the Proposed Rules will remain open for 60 days following publication of the proposed release on the SEC’s website or 30 days following publication of the proposed release in the Federal Register, whichever period is longer. Although the Proposed Rules may change before the final rules are published, public companies would be wise to start reviewing and addressing any concerns between their own cybersecurity policies and procedures and the ones currently being proposed.

Some organizations may not have the in-house cybersecurity expertise to fulfill the requirement of this Proposed Rule. To hire a full-time CISO, it may run organizations upwards of 6 figures to pay a proper salary. For organizations looking to meet this requirement and strengthen the posture of their cybersecurity program, hiring a virtual CISO (vCISO) may be advantageous. For a fraction of the price, organizations can outsource the CISO function to a third-party expert. OCD Tech offers these vCISO services and is ready to help your organization both check the box and advise on other cyber goals and initiatives organizations might have.

For the full SEC Proposed Rule, click here.


https://www.sec.gov/rules/proposed/2022/33-11038.pdf

https://www.gartner.com/en/newsroom/press-releases/2021-11-18-gartner-survey-finds-88-percent-of-boards-of-directors-view-cybersecurity-as-a-business-risk

Share
4

About Julia Muccini

Joining the team in 2021, Julia is an IT Compliance Analyst. Before joining the firm, Julia received a Bachelor’s Degree in Criminal Justice from Saint Anselm College in Manchester, NH, and her Masters Degree in Cybersecurity: Policy & Governance from Boston College. She implements processes and technical solutions to identify, monitor, and resolve information security and compliance risks.

You also might be interested in

Cybersecurity in 2024 & Beyond: Prepare for the Future

Cybersecurity in 2024 & Beyond: Prepare for the Future

Oct 22, 2024

As we approach 2024, cybersecurity has become one of the[...]

Don’t Let the Cloud Rain on Your DFARS Compliance

Don’t Let the Cloud Rain on Your DFARS Compliance

Jun 19, 2018

Cloud computing has become ubiquitous in how we operate our[...]

OCD TECH. PAM AND DATA BREACHES.

PAM and Data Breaches

Feb 28, 2023

PAM is one of the most critical aspects of a[...]

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next