Bill Would Compel Firms to Say If CyberSec Expert Sits on BoardSenate Sponsors Portray Proposal as Consumer, Shareholder Protection Measure
Legislation introduced in the Senate would require publicly traded companies to disclose to regulators whether any members of their boards of directors have cybersecurity expertise.
The Cybersecurity Disclosure Act of 2017, or S. 536, would not require companies to have a cybersecurity expert on their boards. Instead, it would require them to explain in its filings with the Securities and Exchange Commission whether such expertise exists on their boards and, if not, why this expertise is unnecessary because of other steps taken by the company.
The bill's sponsors - Democrats Mark Warner of Virginia and Jack Reed of Rhode Island and Republican Susan Collins of Maine - characterize the legislation as a consumer- and shareholder-protection measure.
"It is in the best interest of consumers and shareholders for companies to fully disclose the plans they've set in place to defend against [data breaches]," Warner said in a statement announcing the legislation. "This legislation provides needed transparency in an often shrouded process that directly affects the privacy of millions, and will serve as tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks."
The measure has been referred to the Senate Banking, Housing and Urban Affairs Committee. Warner and Reed serve on that committee.
Cyber Risk Oversight
Reed, in remarks made on the Senate floor, cited the 2014 breach of the social media company Yahoo that exposed 500 million user accounts as demonstrating the need for the bill. He specifically referenced Yahoo's 10-K annual report, filed March 1 with the SEC, which states that an independent board of directors' committee investigating the cyberattack "found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 security incident. The independent committee also found that the audit and finance committee and the full board were not adequately informed of the full severity, risks and potential impacts of the 2014 security incident and related matters."
The Rhode Island senator suggested that lack of board understanding regarding the breach showed that Yahoo failed to consider cybersecurity as a critical business practice. "Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight," Reed said. "This legislation will highlight how focused firms are in terms of data security and safeguarding private information and should encourage more companies to improve their cyber-governance. Through simple disclosure, we can strengthen cybersecurity oversight."
According to a 2015 report published by the Georgia Institute of Technology, fewer than one-quarter of boards of directors had a member with cybersecurity expertise. The report's author, Jody Westby, says she believes that percentage likely has not changed much since the report was published.
The U.S. Chamber of Commerce has yet to weigh in on the bill because it needs to review the measure, a spokeswoman said. In the past, the Chamber has opposed one-size-fits-all corporate governance requirements regarding cybersecurity.
Making Informed Decisions
But Westby, CEO of the consultancy Global Cyber Risk, says she doesn't see the legislation as being onerous. "It's not going to put a big burden on business," she says. "It's just going to drive and push them to become more aware of why they need to have this expertise, and if they don't have it, then to get it to help them make informed decisions that will protect the shareholders."
The sponsors, citing research from the National Association of Corporate Directors, suggest boards need help in addressing cybersecurity challenges. The association's 2016-2017 public company governance survey reveals that 59 percent of respondents see overseeing cyber risk as a challenge, with only 19 percent of respondents saying their boards possess a high level of knowledge about cybersecurity.
If enacted as written, the bill would require the SEC to issue rules to enforce the act within 360 days of its passage.
Defining Cybersecurity Expert
The legislation also would direct the SEC, in consultation with the National Institute of Standards and Technology, to define what constitutes expertise or experience in cybersecurity.
The bill suggests the definition could be based on professional qualifications to administer information security programs or expertise in mitigating cyberattacks as described in NIST's NICE Cybersecurity Workforce Framework. NICE stands for National Initiative for Cybersecurity Education.
"As cyberattacks become increasingly common, Congress must take action to better protect Americans from hackers attempting to steal sensitive data and personal information [by making] sure companies disclose to the public the basic steps they are taking to protect their businesses from cyberattacks," Collins said.