business SEC Proposes New Cybersecurity Rules: Is Your Board Prepared? May 12, 2022 Is your board cyber competent? Boardroom cyber expertise has become more and more important, especially in light of new rules proposed by the Securities and Exchange Commission. Here’s what you should know. The problem at hand Cybersecurity threats are on the rise in both the private and public sectors. The SEC has proposed new rules to highlight the importance of maintaining secure and reliable information systems. The new rules also cover new threats and vulnerabilities due to remote work, digital and virtual payments, new ransomware campaigns and more. What are the proposed rules? Much like Sarbanes Oxley impacted the composition of the Board of Directors and required disclosure of financial expertise almost 20 years ago, the recently proposed new rules would require U.S. public company boardroom disclosure of corporate directors with cybersecurity expertise. What is Cybersecurity “Expertise”? The proposed rule suggests that expertise can be determine by: Whether the Director has prior work experience in cybersecurityWhether the Director has obtained a certification or degree in cybersecurity and;Whether the Director has knowledge, skills or other background in cybersecurity such as security policy and governance, risk management, security architecture and engineering, etc. Impact on non- Registrant entities If history has taught us anything, SEC requirements eventually impact all enterprises whether directly through legislation at the federal or state level or, indirectly, such as if you are a business partner of an SEC registrant. The SEC wants deep operational competencies in cybersecurity in the boardroom, as they did with financial expertise. The SEC’s action is a positive step towards creating accountability and transparency in the wake of destructive breaches and should be used as a best practice for entities of all type. As we have shared before, cyber risk affects virtually every kind of enterprise, and it is not a matter of if, but when your organization will be attacked. Competency at the Board level, regardless of the type of organization, is not a “nice to have” but rather a “must have”. Interested in learning more about protecting your organization? Please reach out to me or any member of our Information Security Services Team.