Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

Blog #5 of 5 in SEC Cyber Series

Disclosure Regarding the Board of Directors’ Cybersecurity Expertise [1]

Introduction

In the first post in this series Overview of the SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes, I cited the four specific proposed changes in the SEC rulemaking:

1. Reporting of Cybersecurity Incidents on Form 8-K
2. Disclosure about Cybersecurity Incidents in Periodic Reports
3. Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks
4. Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

This final post in this series focuses on the proposed requirements of “Disclosure Regarding the Board of Directors’ Cybersecurity Expertise.”

What is proposed?

For this disclosure requirement, the SEC is proposing to amend Item 107 of Regulation S-K to require “disclosure about the cybersecurity expertise of members of the board of directors of the registrant, if any. If any member of the board has cybersecurity expertise, the registrant would have to disclose the name(s) of any such director(s) and provide such detail as necessary to fully describe the nature of the expertise.”[2]  The disclosure would be required in proxy statements and the 10-K.

As I mentioned in a previous post, risk oversight is one of the top three responsibilities of a board of directors and disclosing information about risk and risk management oversight is not new to public company boards.  As part of Regulation S-K, at 17 CFR §229.401(e), companies must discuss the business experience of board directors.[3]  At 17 CFR §229.407(h), companies must “disclose the extent of the board’s role in the risk oversight of the registrant, such as how the board administers its oversight function, and the effect that this has on the board’s leadership structure.”[4]

In an analysis of Form 10-K filings by 74 Fortune 100 companies in 2022, Ernst & Young found that disclosures about directors’ cybersecurity expertise have increased significantly over the last five years prior to these proposed SEC changes.  In 2018, only 20% of the companies disclosed cybersecurity expertise as a skill sought after, compared to 46% in 2002.  In 2018, only 28% cited existing cybersecurity expertise in at least one board member, compared to more than 50% in 2022.  Progressive, forward-thinking organizations see both the need for cybersecurity expertise and the value of disclosures.[5]

The specific proposed changes to create the new Item 407(j) are as follows:

(j) Cybersecurity expertise.

(1) If any member of the registrant’s board of directors has expertise in cybersecurity, disclose the name(s) of any such director(s), and provide such detail as necessary to fully describe the nature of the expertise. In determining whether a director has expertise in cybersecurity, the registrant should consider, among other things:

(i) Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;

(ii) Whether the director has obtained a certification or degree in cybersecurity; and

(iii) Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.[6]

Additionally, in paragraph (2), Safe Harbor of proposed Item 407(j), an individual designated as having cybersecurity expertise does not assume any liabilities greater than any other board member, nor do they relieve any other directors from their duties, obligations, or liabilities.

What is Cybersecurity Expertise?

All US public companies must disclose whether their audit committees have at least one financial expert and, if they don’t have one, disclose the reasons why not.  These requirements came about in rulemaking following the passage of the Sarbanes-Oxley Act Of 2002 and may be found at 17 CFR §229.407(d)(5).[7] 

Now, twenty (yes 20!) years later, the SEC is proposing similar disclosure requirements for cybersecurity expertise. The requirements are similar but not the same.  In the regulation, the term “audit committee financial expert” is defined in terms of specific attributes at 17 CFR §229.407(d)(5)(ii); for example, an understanding or generally accepted accounting principles, experience preparing, auditing, analyzing, or evaluating financial statements, an understanding of internal control over financial reporting, etc.

The language at 17 CFR §229.407(d)(5)(iii) discusses how someone might have acquired these attributes. This section includes items such as experience and education as a principal financial officer, principal accounting officer, controller, public accountant, or auditor or experience in one or more positions that involve the performance of similar functions; experience actively supervising a principal financial officer, principal accounting officer, controller, public accountant, auditor or person performing similar functions; and, experience overseeing or assessing the performance of companies or public accountants concerning the preparation, auditing or evaluation of financial statements.

The proposed language around cybersecurity expertise appears less stringent because it does not require a cybersecurity expert on the board or any specific committee.  It’s simply a requirement to disclose whether there is such an individual on the board.  Further, there is no requirement to explain why the organization does not have such an individual.  Also, the proposed changes would not define “cybersecurity expertise, given that such expertise may cover different experiences, skills, and tasks”; however, it does include a non-exclusive list of criteria that a registrant should consider in reaching a determination on whether a director has expertise in cybersecurity. [8]  That non-exclusive list is provided above under (j)(1)(i), (ii), and (iii).

While attending the National Association of Corporate Directors (NACD) Annual Summit 2022, several attendees asked me to clarify “cybersecurity expertise.”  As a profession, cybersecurity is immature compared to the more mature taxonomy of knowledge, skills, abilities, and certifications in finance and accounting. Cybersecurity expertise is a little more difficult to define than a financial expert.

Given the vast collection of domains that comprise the emerging body of cybersecurity knowledge, it cannot be obvious.  For example, one of the premier and most highly recognized certifications in information security is CISSP, Certified Information Systems Security Professional.[9] Its knowledge domains include Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management (IAM), Security Assessment and Testing, Security Operations, and Software Development Security. 

Another top certification, CRISC, Certified in Risk and Information Systems Control[10], includes IT Risk Identification, IT Risk Assessment, Risk Response and Mitigation, and Risk and Control Monitoring and Reporting as its primary subject matter domains.

Ideally, you would find an individual with both CRISC and CISSP certifications. Given a choice between the two, and all other factors being equal, I’d recommend choosing an individual with the CRISC certification, which is much more focused on risk management and is better aligned with the board’s overall risk oversight responsibilities. I would emphasize risk management skills, knowledge, and abilities (KSAs) over security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner KSAs.

My “skills matrix,” then, for someone with “cybersecurity expertise” would include some broader attributes to avoid onboarding a single-purpose director and instead someone who can contribute to fulfilling other board oversight responsibilities:

• Board experience, preferably, NACD Directorship Certification® (NACD.DC)
• Entrepreneur, Executive, Educator
• CEO Experience
• Different hands-on or overseeing experience
  • CIO
  • CISO
  • CTO
  • COO
• Certifications in order of priority:
  • CRISC
  • CISSP
  • NACD CERT Certificate in Cyber-Risk Oversight
• Degree
  • MBA or equivalent
  • MS – Cybersecurity
• Recognized expert through writing, teaching, or serving as an expert witness
• Strategy-, Risk-, Leadership-savvy
• Financially literate

Questions Management and Board Should Ask and Discuss

Here are several starter questions around the proposed Disclosure Regarding the Board of Directors’ Cybersecurity Expertise:

1. What is the level of cybersecurity expertise on your board today? Is anyone on the board capable of understanding enterprise cyber risk management (ECRM) issues? Are you comfortable today disclosing your board’s cybersecurity expertise to investors?
2. Given your organization’s current industry, “crown jewels,” attack surface, and ECRM strategy, would your investors conclude that you have the correct cybersecurity expertise on your board?
3. What board committee has responsibility for ECRM? Does language in this committee’s charter cover ECRM?
4. Does your current board skills matrix include relevant attributes for cybersecurity expertise?
5. Does your current board skills matrix emphasize risk management expertise over cybersecurity technical expertise?
6. Have you developed a board job description for someone with cybersecurity expertise?
7. Is the board setting clear expectations of management regarding their roles and responsibilities in ECRM with the current level of cybersecurity expertise on your board?

Endnotes

[1] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[2] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[3] Business Experience. 17 CFR §229.401(e). (Standard Instructions for Filing Forms Under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975 – Regulation S-K). Available at https://www.ecfr.gov/current/title-17/chapter-II/part-229/subpart-229.400/section-229.401

[4] Board leadership structure and role in risk oversight. 17 CFR §229.407(h) (Standard Instructions for Filing Forms Under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975 – Regulation S-K). Available at https://www.ecfr.gov/current/title-17/chapter-II/part-229/subpart-229.400/section-229.407

[5] Seets, Chuck and Niemann Pat, EY. Harvard Law School Forum on Corporate Governance. “How cyber governance and disclosures are closing the gaps in 2022.” October 2, 2022. Available at https://corpgov.law.harvard.edu/2022/10/02/how-cyber-governance-and-disclosures-are-closing-the-gaps-in-2022/

[6] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[7] Audit committee financial expert. 17 CFR § 229.407(d)(5). (Standard Instructions for Filing Forms Under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975 – Regulation S-K). Available at https://www.ecfr.gov/current/title-17/chapter-II/part-229/subpart-229.400/section-229.407#p-229.407(d)(5)   

[8] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[9] CISSP. “Certified Information Systems Security Professional.” Accessed November 21, 2022. Available at https://www.isc2.org/Certifications/CISSP#

[10] CRISC. “Certified in Risk and Information Systems Controls.” Accessed November 21, 2022. Available at https://www.isaca.org/credentialing/crisc