Sep. 06, 2022
September 6, 2022 Thank you for recognizing that there is a need to foster more transparent information on cybersecurity governance and make it easier for investors to evaluate a company's security risk management. I believe the SEC should provide public companies some enhanced guidance on governing cybersecurity risk while preserving flexibility on implementation. In particular, the SEC should consider revising the proposed rule so it: 1) Sets a standard minimum criteria of cybersecurity topics that must be reported to the board at least annually. This should include: - Top Cyber Risks and Emerging Threats to the Company - Program Strategy and Maturity Progress Report with Key Performance and Risk Indicators - Program Comparison to Industry and Peers - Areas where Risk Exceeds Management Appetite and Discussion on Risk Reduction Strategies - Audit and Regulatory Items 2) Requires disclosures to explain why it believes the board, collectively, has the ability to oversee these risks adequately rather than disclosure of one \"cybersecurity expert,\" 3) Maintains the proposed safe harbor rule so it's clear that if a board does hire a \"cybersecurity expert\" it would not impose any greater liability on the cybersecurity expert than other members of the board. Hiring a cybersecurity expert should also not decrease the duties and obligations or liability of other board members, and 4) Enforces serious penalties for senior management who knowingly decide to cover up cybersecurity risks and other pertinent information to the board and in public filings.