In a recent speech, SEC Commissioner Kara Stein commented on the importance of cybersecurity.  The Commissioner noted that encouraging adoption of written policies and procedures, voluntary frameworks and non-binding guidance was not sufficient.  She noted that boards of directors have a fiduciary duty to shareholders to monitor and oversee risk, including cybersecurity oversight.  She seems to suggest that just as Commission rules require disclosure regarding financial experts, it would be reasonable for there to be some disclosure as to whether boards have an independent director with expert knowledge of technology and cybersecurity.  Otherwise, boards should retain experts to provide advice.  The Commissioner suggests independent directors meet with the company’s chief information security officer at least twice a year in executive session.  She notes that boards should assess company disclosures regarding cyber risks.  Finally, she suggests that the board ought to consider how well prepared the company is to respond to a breach, the resiliency of its infrastructure, and the procedures that will be implemented to recover and resume operations.

[View source.]