The US Securities and Exchange Commission (SEC) has recently examined the cybersecurity expertise of companies in order to improve cybersecurity measures. The initial proposal from the SEC in March 2022 required companies to publicly disclose at least one cybersecurity expert on their board of directors and one within the management team. However, the SEC has now decided to drop the requirement for a board expert. Nonetheless, the commission still insists that management cybersecurity expertise should be reported.
Although the SEC did not provide a specific definition of cybersecurity expertise, it did suggest that certifications, academic degrees, and work experience could be potential indicators of such expertise. However, experts in the field believe that the requirements for cybersecurity expertise should be determined by each individual company.
According to Andrew Morrison, a principal at Deloitte Risk & Financial Advisory, the proposed SEC rule does not necessarily call for more cybersecurity expertise on boards or in senior management. He compares this rule to other disclosure requirements set by the SEC, such as the disclosure of financial expertise of directors on audit committees.
To determine whether a candidate meets the undisclosed requirements for cybersecurity expertise, the SEC will leave the decision to the market. Shareholders and investors may respond negatively to a company that suffers a significant data breach by lowering its stock price if they believe that the credentials of the cybersecurity expert were insufficient. Additionally, companies may reconsider the credentials they initially approved if their competitors in the same industry produce experts with more impressive qualifications.
Brian Levine, a managing director at EY, suggests that the new disclosure requirements by the SEC could create healthy competition around cybersecurity. Companies may strive to improve their cybersecurity measures by examining what their peers have disclosed and attempting to outdo them.
While certifications and degrees related to cybersecurity, such as CISSP, CISA, CompTIA Security+, CEH, and CISM, are considered helpful for management roles, experts in the field argue that experience is the most crucial factor. Andy Ellis, an operating partner at YL Ventures, is concerned that some companies may rely too heavily on easily quantifiable metrics, such as certifications and degrees, which may not accurately represent the candidate’s qualifications.
For board roles, Ellis emphasizes the importance of asking the right questions rather than having all the answers. The cybersecurity expert should be knowledgeable enough to assess the validity of the answers provided by the Chief Information Security Officer (CISO) when addressing cybersecurity issues.
Brian Walker, CEO at security consulting firm The CAP Group, doubts the effectiveness of certifications at the Fortune 500 level. He believes that the true value of a cybersecurity expert lies in their ability to make critical security decisions in real-time, such as determining whether an incident qualifies as a reportable breach.
When it comes to filling board positions with cybersecurity experts, companies have two options. They can either recruit individuals with genuine expertise in cybersecurity or train existing board members to become cybersecurity experts. However, it can be challenging to find cybersecurity experts among the typical members of Fortune 500 companies’ boards, who usually consist of CEOs and former CEOs, investors, and internal board members.
The SEC aims to address the lack of attention given to cybersecurity in large companies. While board members often express support for strong security measures and low risk tolerance, their actions, particularly budget decisions, tend to prioritize other areas over cybersecurity.
In conclusion, the SEC has prioritized cybersecurity expertise within companies, particularly within management teams. However, it has backed off from requiring a cybersecurity expert on the board of directors, instead leaving it to companies to determine the necessary expertise. The market will ultimately decide the value of a company’s cybersecurity credentials. Experience is considered the most important factor in evaluating cybersecurity expertise, although certain certifications and degrees can be helpful. The SEC hopes that the new disclosure requirements will encourage healthy competition among companies to improve their cybersecurity measures.