New SEC rules regarding cybersecurity risk management and incident reporting are expected to be adopted in the very near future. These new rules will require public companies to report on virtually all cybersecurity incidents and to provide periodic updates on both the impacts of the incidents and the company’s policies and procedures to identify and manage cybersecurity risk.
Moreover, the proposed rules mandate that public companies disclose and report on the individual cybersecurity expertise of the board of directors.
This latter requirement has widely been interpreted as a requirement (or at least a strong suggestion) that each board should include a cybersecurity “expert” either as a board member or a senior advisor with management responsibility and authority. The logical person for this role is the corporate Chief Information Security Officer (CISO). Unfortunately, though, this individual currently is often relegated to a reporting role without the ability to help shape corporate policy.
A recent Forbes article (April 20, 2023) estimated that “only about half of Fortune 100 companies have a director on their boards with relevant cybersecurity experience. The situation in the Fortune 200 and 500 is even more concerning, with only nine percent having cyber-savvy directors.”
This situation will have to change significantly when the new SEC rules are finalized. TMG’s expertise in both cybersecurity placement and board searches can be of assistance to the industry, either by helping to identify board-ready cybersecurity experts, or helping develop cybersecurity talent within the organization.
If you have questions or comments, please contact Eric Shott, Deborah Page or Mike Holmes.