October 12, 2023
What’s Next for Director Cyber Expertise?
In the final cybersecurity rules, the SEC did away with the proposed requirement to disclose board cybersecurity expertise, even though, during the “Dialogue with the Director” session at the ABA’s Business Law Section Fall Meeting, Corp Fin Director Erik Gerding stressed that the proposal was not meant to impact board composition. The final rules instead focus on management expertise. But that doesn’t mean that directors can ignore cybersecurity expertise at the board level.
This report from the EY Center for Board Matters, What Cyber Disclosures Are Telling Shareholders in 2023, gives stats showing that related disclosure has been on the rise:
In 2023, 61% of companies disclosed cybersecurity as an area of expertise sought on the board, up from 20% in 2018. More than two-thirds of the companies now cite cybersecurity experience in at least one director biography, up from 33% in 2018.
A closer look at these changes over the past few years shows that, in most cases, the increases in director experience are related to most companies adding cyber-related experience to longer-standing board member bios, with some boards adding a new director with cybersecurity experience. The new arrivals have included former CIOs and senior information technology executives, the head of a cybersecurity company, and former leaders in federal intelligence agencies or the Department of Defense.
This HLS blog post by NightDragon and Diligent suggests ways boards can bolster their cyber “technical chops.” Spoiler alert! The first recommendation is to make cyber education a priority. From the management perspective, the blog also highlights how CISOs can prepare themselves to address and educate their boards and acknowledges some of the biggest challenges CISOs face when presenting to the board — determining the right amount of information to provide and focusing on the business. The blog says this means “ditching the industry lingo and always speaking in terms of risk to the business, such as how cybersecurity risk could impact revenue acceleration, international expansion, and other strategic topics.”
– Meredith Ervine