SEC Plans to Raise the Cybersecurity Bar for Boards of Directors

Board cybersecurity advisory

Betanews reports that hackers can penetrate the networks of 93% of all organizations worldwide. Only 7% are fully protected! Darkreading reports that companies suffered 50% more cyber attacks in 2021 from the previous year – from an already increased baseline in 2020! These are frightening statistics.

Perhaps not surprisingly in this rising tide of cyber threats, and against the backdrop of increased information security risks from Russia and its international sanctions, the U.S. government is preparing steps to ensure organizations engage the right skill-sets to navigate these complicated risks. To set the stage for this “raising of the bar”, the SEC recently announced proposed disclosure requirements on public company Boards of Directors relating to their cybersecurity risk management, strategy, governance, and incident reporting.


The new rules go far beyond requiring boards to “check a security program box”

This excerpt from the press release summarizes the capabilities the SEC expects boards to oversee…

The proposed amendments would require, among other things, current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures…

…but the SEC goes further than this, “raising the bar” on the directors themselves, requesting a summary of the cybersecurity expertise they possess individually and collectively…

The proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.


Boards have several options from which to respond

Some have predicted that many boards may respond by adding cybersecurity experts as directors. This will not be surprising, and indeed may be the correct prudent step for many companies, depending on their business model and risk profile.

Other organizations may choose to engage advisors to help them rise to the new requirements. Expert cybersecurity consultants may:

  • Provide expert security insights to guide the board’s leadership of the company, their oversight of the IT and cybersecurity functions – a key function to ensure the appropriate protections are in place
  • Provide training for the existing directors – a key step to improving their response to the raised bar
  • Oversee the board’s disclosures to the SEC on cybersecurity topics


Help from outside experts will be needed in one form or another for most boards.


A prudent move as risks continue to grow

Regardless of the options boards of directors take to respond to these upcoming rules, one thing is clear: the bar is being raised on cybersecurity in this nation. We at Innovation Vista are supportive of this change; we’re in agreement that the risks have never been higher, and that the time has come to raise the bar on information security awareness and cybersecurity capabilities in our executive leadership.

Just as Sarbanes-Oxley raised awareness of the criticality of financial reporting, we’re hopeful that this step by the SEC similarly raises our collective bar on this crucial aspect of business and society in the modern world.

Reference: SEC announcement about the proposed cybersecurity amendments