Coercing Companies to Name Security-Savvy DirectorsLegislation Would Require Corporations to Reveal Boards' InfoSec Expertise
The bill, the Cybersecurity Disclosure Act, wouldn't require companies to have cybersecurity-savvy board members but would mandate that they report in their Securities and Exchange Commission filings which members of their boards have IT security expertise - or the steps they are taking to recruit such members.
"Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight," says Sen. Jack Reed, D-R.I., who's co-sponsoring the bill with Sen. Susan Collins, R-Maine.
Dearth of Cybersecurity Know-How
Several studies suggest that most corporate boards of directors lack sufficient know-how on cybersecurity risk.
A 2015-2016 Public Company Governance Survey from the National Association of Corporate Directors shows that only 11 percent of survey respondents believe their boards have a high level of understanding of the risks associated with cybersecurity. That survey reveals that 80 percent of directors believe they could improve their cyber knowledge, with 58 percent saying they should be actively involved in cybersecurity preparedness and response scenarios. Only 14 percent of respondents say they actively engage in cybersecurity preparedness and response.
How Often Cybersecurity Matters Discussed At Board Meetings
In another 2015 survey, two-thirds of some 200 board members from publicly traded companies - mostly from the financial services, healthcare and technology sectors - say they lack confidence that their companies are properly secured against cyberattacks. The survey, conducted by the New York Stock Exchange and application security vendor Veracode, found that 81 percent of respondents say cybersecurity is discussed at most or every board meetings.
The Cybersecurity Disclosure Act has been assigned to the Senate Banking, Housing and Urban Affairs Committee, but a committee spokesman says no hearings or votes on the measure have been scheduled. Lawmakers often introduce legislation, knowing it won't come up for a vote, to either publicize an issue they and their constituents care about or prompt action without having to enact a law.
Would the legislation catalyze publicly traded corporations to elect more directors with cybersecurity expertise?
"It might place some pressure on public companies to bring on someone with specific cybersecurity expertise, but companies would most likely respond to the law by telling the SEC about their current approach to cybersecurity at the board and why they chose to have - or not have - a board member with specific cyber experience," says Jacob Olcott, a vice president at BitSight Technologies, a provider of IT security rating systems, and former counsel of the Senate Commerce, Science and Transportation Committee.
The SEC requires companies to report cyber-incidents that could have an impact on corporate finances. The Cybersecurity Disclosure Act would add a bit more transparency "by making sure that firms provide a basic amount of information about the degree to which a firm is protecting the economic and financial interests of the firm from cyberattacks," Collins says.
'Reasonable, Regulatory Nudge'
Collins and Reed have lined up a number of endorsements for their bill from consumer protection activists, financial regulatory reform advocates and academics, including Columbia University Law Professor John Coffee, who says the legislation "amounts to a moderate, and reasonable regulatory nudge that pushes public companies to give greater attention to cybersecurity issues without mandating an inflexible board structure or insisting that one size fits all. This will help spur action, but still permit diverse approaches to a developing problem."
Though conventional wisdom holds that boards need to be more knowledgeable about cybersecurity and risk, that doesn't mean that having a director with IT security expertise is necessary, Olcott says. "Some would argue that it's better for the entire board to engage on this issue rather than simply appoint one person with a cybersecurity background to the board," he says.