Subject: FILE NUMBER S7-09-22
From: Carter Schoenberg
Affiliation:

Jan. 26, 2023

Good day, 


With respect to the following: 


"..Management’s role, and relevant expertise, in assessing and managing cybersecurity related risks and implementing related policies, procedures, and strategies.41" 


Taken from Federal Register / Vol. 87, No. 56 / Wednesday, March 23, 2022 / Proposed Rules 


How will the SEC evaluate what "relevant expertise" will be?  Unless the US Government adopts a model that the person responsible (on behalf of the board) has the right qualifications and years of experience, the submissions by Registrants to the SEC will likely be a "check the box" approach and not align with the goals and objectives of this proposed obligation. 


Example: If the Board of Directors for ACME advises Jamal Washington is the cyber expert, because he possesses a Security+ certification and has five years of experience in cyber security, is likely going to result in shareholder value being inadvertently diminished.  


Sincerely, 


Carter Schoenberg