Apr. 13, 2023
April 13, 2023 The way cybersecurity expertise is worded in the proposed rulemaking in s.407 makes me very skeptical. My first impression is that anyone who admits to satisfying these criteria to the SEC will paint a target on their backs and will be blamed for any future threat or exploit. Then, what if I took an exam (like a CSSP or Security+) and didnt pass? I still have some cyber knowledge. Does this mean I still have to disclose to the SEC? The wording of the qualifications also implies (at least to me) that just about any Computer Science grad would probably have taken some infosec training (hope springs eternal) and would need to disclose this. I am not sure this satisfies the SECs intention. I have two important questions. First, will these proposed rules motivate firms to hire any effective cyber experts as board members? My guess is probably not. At best, boards meet quarterly, and what is a board member supposed to do in between meetings if something is awry? Does this mean a CISO has a shadow reporting relationship to the cyber-aware board member? That is not a recipe for good corporate governance. Second, will having this kind of expertise make a difference in terms of better breach response? One of the other proposed rules by the SEC is to mandate a four-day turnaround period once a breach has been determined. That is probably more important than anything else in these proposed rules, especially as most firms have a culture of hiding a breach for as long as they can get away with it. How this turnaround period is measured isn't really well defined either.