The SEC Proposes Cybersecurity Expertise: Why Cyber Literacy is Critical for Council Members

"The SEC is proposing to force boards to do what they haven't done themselves, govern cyber risk." - Forbes

The Securities and Exchange Commission (SEC) has recently proposed new rules that would require U.S. public company boardrooms to disclose the cybersecurity expertise of their directors. Board members are expected to have financial literacy and now we see the coming need to have cyber literacy as well. The rules suggest that expertise will be determined by past work experience, certifications or degrees in cybersecurity, and knowledge of security policy, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning. This move is to address the rapidly changing cybersecurity landscape and protect investors by ensuring that the organization they invest in is addressing enterprise risks. Companies such as FedEx, Hasbro, PNC, and UPS already understand the value of cybersecurity competencies on their board, but the SEC is pushing for more companies to follow suit to deal with the rapidly changing cybersecurity landscape.

“The SEC recently proposed new rules that would require U.S. public company boardroom disclosure of corporate directors with cybersecurity expertise. This is currently a relatively rare skillset within the ranks of most corporate boards, not just in the U.S. but worldwide.” - Forbes

This move by the SEC should also serve as a wake-up call for local governments. Local governments issue bonds, and these bonds also have investors that need to be protected. Cyber risk is the number one risk for most organizations, and the cost of data breaches is high. It is part of the fiduciary responsibility to avoid risk and protect investors. Local governments should expect the same requirements in the future for the same reasons.

As cybersecurity threats continue to grow and evolve, the role of the Chief Information Security Officer (CISO) is becoming increasingly important in organizations. The CISO is responsible for managing and implementing the organization's cybersecurity strategy and ensuring that the governing board is fully aware of the risks and measures taken to address them. By effectively communicating the potential impact of cyber threats and the importance of cybersecurity to the board, the CISO can help ensure that the organization is taking the necessary steps to protect against cyber-attacks and mitigate any potential damage. The CISO is critical in maintaining the organization's cyber resilience and protecting the organization's reputation and assets.

“With the rapidly changing cyber risk environment that faces every company, cyber risk presents clear and present equity, financial and litigation threats.” - Forbes

Unfortunately, the role of Chief Information Security Officer (CISO) is still an emerging role in local governments. CISOs are often viewed as being subordinate to the Chief Information Officer (CIO) in local government, if they exist at all. The CISO or cybersecurity function is often buried deep in the organizational org chart, too low to inform the council on cyber risks. However, in the corporate world, the trend is to elevate the CISO to be equivalent to the CIO and report directly to the CEO. This elevates the importance of cybersecurity throughout the organization and improves the CISO’s ability to communicate directly with the top officials in the local government.

"While this trend has yet to make much headway among local governments, there are good arguments for having the CISO report directly to the top elected and/or appointed official. This would elevate the importance of cybersecurity throughout the organization and improve the CISO’s ability to communicate directly with the top officials in the local government." - ICMA 2020

According to the Carnegie Mellon University (CMU) CyLab 2008 Governance of Enterprise Security Study, there is still a gap between information technology (IT) and enterprise risk management. Survey results confirm that Boards and senior executives are not adequately involved in key areas related to the governance of enterprise security. This gap needs to be addressed in local governments to ensure that enterprise risks are being addressed and investors are being protected. A CISO at the executive level in a local government can help to bridge this gap.

The SEC’s move to require U.S. public company boardrooms to disclose the cybersecurity expertise of their directors is a welcome move to address the rapidly changing cybersecurity landscape and protect investors. Local governments should take note and expect the same requirements in the future for the same reasons. The role of the CISO can help local governments ensure that enterprise risks are being addressed and investors are protected.

Resources

• Carnegie Mellon University (CMU) CyLab 2008 Governance of Enterprise Security Study

• A look a Local Government Cybersecurity in 2020 - ICMA

• The SEC Is About To Force CISOs Into America’s Boardrooms https://www.forbes.com/sites/bobzukis/2022/04/18/the-sec-is-about-to-force-cisos-into-americas-boardrooms/