I absolutely agree that effective board oversight of cyber risk does not require a director who purports to be an expert in cybersecurity.
An audit committee without an audit committee financial expert can still be a very effective audit committee, although the company will have to include appropriate related disclosure in its proxy statement. By contrast, an audit committee composed entirely of audit committee financial experts may be a very ineffective committee.
Effective board oversight of cyber risk, like any other risk, depends on appropriate reporting systems and controls, highly qualified and adequate executive management and staff, and an engaged board that asks questions and challenges management when appropriate, among other things. Of course, having cybersecurity experience would certainly be helpful for any director, just as having experience in M&A, corporate governance, marketing, regulatory affairs or financial operations is helpful. No one claims that a board should have an M&A "expert" in order to make well-informed decisions on transactions.
As I told someone the other day when this subject came up, having a cybersecurity expert on a board will no more guarantee that a company will be safe from cyber events than having a four star general as president and commander-in-chief will guarantee that America will win its next war.