SEC Proposed Rule Could Add Cybersecurity to the Boardroom

Cybersecurity Experience Disclosure

On March 9^th, 2022, the Security and Exchanges Commission (SEC) issued several proposed amendments that could have a big impact on businesses. One of the more surprising amendments is Amend Item 407(j) of Regulation S-K: “require disclosure about if any member of the registrant’s board of directors has cybersecurity experience”[1]. This would require businesses to disclose on annual reports, annual meeting proxy statements and information statements on Schedule 14C if any of their board members have previous cybersecurity experience including the names of any such director(s) and any details necessary to fully describe their expertise. While the amendment doesn’t specifically state what would qualify as “cybersecurity experience” it does give some examples such as prior work experience, certifications, degrees related to cybersecurity or other background in cybersecurity. The SEC notes that companies could respond to this proposed rule by adding a board member or staff to their management team with cybersecurity experience, although it would not be required. This addition could provide the board with more oversight and help them identify and manage cybersecurity risks. Having a member with cybersecurity experience could also help persuade the other board members to allocate more resources to cybersecurity including devising, implementing and improving their policies and procedures. Another idea the SEC gives is for companies to hire a Chief Information Security Officer (CISO) to help manage cybersecurity, although again this exact title would not be required.

Giving IT and Security Leaders a Seat at the Table

While this may seem like an unusual disclosure, statistics show that the number of Boardrooms that include members with a cybersecurity background is extremely low. In April 2021, research and consulting firm Gartner conducted a survey of 615 respondents across the world with over 100 employees and $50 million in total annual revenue and found that 88% of Boards of Directors view cybersecurity as a business risk, yet only 12% of them have a dedicated board-level cybersecurity committee[2]. Paul Proctor, Chief of Research for Risk and Security at Gartner said about the statistic: “IT and security leaders are often considered the ultimate authorities for protecting the enterprise from threat. Yet, business leaders make decisions every day, without consulting the CIO or CISO, that impact the organization’s security”. Adding a board member with cybersecurity experience could help close that gap.

Disclosure also Protects these Cybersecurity Board Members from Increased Liability

It’s also important to note that the board member with cybersecurity experience would not be liable if there were to be a breach or security incident. The amendment proposes a “safe harbor” for the member so that they would not have any duties, obligations, or liabilities that are greater than those of any other board member. The member would also not be deemed an expert for any purposes including, for purposes of Section 11 of the Securities Act. The goal for this amendment is to increase board oversight of cybersecurity as well as having the board member with cybersecurity experience work with the rest of the Board to make business decisions with cybersecurity in mind.

The comment period for the Proposed Rules will remain open for 60 days following publication of the proposed release on the SEC’s website or 30 days following publication of the proposed release in the Federal Register, whichever period is longer. Although the Proposed Rules may change before the final rules are published, public companies would be wise to start reviewing and addressing any concerns between their own cybersecurity policies and procedures and the ones currently being proposed.

Some organizations may not have the in-house cybersecurity expertise to fulfill the requirement of this Proposed Rule. To hire a full-time CISO, it may run organizations upwards of 6 figures to pay a proper salary. For organizations looking to meet this requirement and strengthen the posture of their cybersecurity program, hiring a virtual CISO (vCISO) may be advantageous. For a fraction of the price, organizations can outsource the CISO function to a third-party expert. OCD Tech offers these vCISO services and is ready to help your organization both check the box and advise on other cyber goals and initiatives organizations might have.

For the full SEC Proposed Rule, click here.

---