NACD Responds to SEC Rule Proposal on Public Company Cybersecurity, Risk Management, Strategy, Governance, and Incident Disclosure

05/12/2022

Press Releases

Recommendations Emphasize Aligning Proposed Rules with Best Practices and Delineating Between Board and Management’s Roles

WASHINGTON, DC (May 12, 2022)— The National Association of Corporate Directors (NACD), the authority on boardroom practices representing more than 23,000 board members, this week submitted comments to the US Securities and Exchange Commission (SEC) on their proposed amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. 

Agreeing with the intent of the proposed rules, NACD emphasized its support for consistent disclosure of information related to four key areas: cybersecurity incident response and reporting; cybersecurity risk management policies and procedures; the role of management in cybersecurity; and board cybersecurity expertise and oversight.

NACD emphasized the following main points about the board’s role in its comments:

  • The cyber security-specific roles of the board and management are distinct.

    •  Management must control and mitigate risk, and drill deeply into breaches. 

    • The board’s role is to make sure that cybersecurity is well managed and that the risk is well controlled. 

  • NACD believes cybersecurity oversight must be the shared responsibility of the whole board, not the responsibility of one director with cybersecurity expertise. 

“Continuous director education in cyber-risk oversight is critical for what the SEC is asking boards to do, and for directors to fulfill their obligations as effective stewards of their organizations,” said Peter R. Gleason, president and CEO of NACD. “We are in agreement with the SEC that long-standing efforts to ensure board members have the necessary resources to provide meaningful oversight of cyber programs are essential.”

NACD has demonstrated a deep commitment to promoting continuous director education and to helping board members keep pace with an ever-changing threat landscape. Today, more than 700 directors hold the NACD CERT Certificate in Cyber-Risk Oversight, which has long been recognized as the premier cyber credential for board members.

In the filing, NACD asserted and clarified the following:

  • NACD supports a collaborative approach that clearly outlines distinct cybersecurity-specific roles for the board and organizational management functions. 

  • NACD supports disclosure of material cyber breaches within four days of determining materiality.

  • NACD supports disclosures relevant to an organization’s management and board-level cybersecurity policies, procedures, and governance.

  • NACD supports phased requirements for smaller companies or another exemption to allow for maturing security operations, as well as consideration of other compliance and reporting requirements related to homeland security.

  • NACD recommends that full-board oversight be conducted through a strong oversight framework instead of being reliant upon one board member who is deemed to have specific expertise.

  • NACD supports identifying directors with cybersecurity expertise and/or education specific to cyber-risk oversight best practices, but rejects the proposal’s mandate to disclose lack of specific cyber expertise among board members.

  • NACD strongly supports the proposed safe harbor clarifying that a director identified as having cybersecurity expertise does not carry an increased level of liability under federal securities laws.

Click here to read the full comments submitted by NACD, including positions on other portions of the SEC’s proposal. 

About NACD
For more than 40 years, NACD has been on the leading edge of corporate governance, setting standards of excellence that have elevated board performance. NACD arms today’s directors with insights and education that drive their mission forward, while preparing a new generation of boardroom leaders to meet tomorrow’s biggest challenges. NACD is a community of more than 23,000 directors driven by a common purpose: to be trusted catalysts of economic opportunity and positive change—in businesses and in the communities they serve. To learn more about NACD, visit www.nacdonline.org.

Press Contacts
Shannon Bernauer
sbernauer@nacdonline.org
571-367-3688

Susan Oliver
soliver@nacdonline.org
703-216-4078