In recent years, there has been an increase in the frequency and sophistication of cybersecurity attacks on both businesses and governments. There has also been an increased interest in government regulation of cybersecurity to protect the public from data breaches. Recently, two American Senators – one Democrat and one Republican – introduced a bill that would require publicly traded companies to have a cybersecurity expert on their board, or explain why having such a board member is unnecessary.
On December 17, 2015, the Cybersecurity Disclosure Act of 2015 (the “Bill“) was introduced in the United States Senate to promote transparency in the oversight of cybersecurity risks of publicly traded companies. This bipartisan bill would require reporting issuers, in their annual report or annual proxy statement submitted under the Securities Exchange Act of 1934 (United States), to either:
- disclose whether any member of the board of directors (or other governing body) of the publicly traded company has expertise or experience in cybersecurity and describe the nature of that expertise or experience; or
- if no member of the board of directors has cybersecurity expertise or experience, describe what other cybersecurity measures have been taken by the publicly traded company that has caused it to determine that cybersecurity expertise or experience is not required at the board level.
The Bill states that what constitutes “cybersecurity expertise or experience” is to be determined by the Securities and Exchange Commission and the National Institute of Standards and Technology.
The Bill seeks to implement a “comply or explain” regime. It does not impose any obligations on public companies with respect to cybersecurity beyond the above mentioned disclosure. Canadian issuers are already familiar with such regimes. For example, National Instrument 58-101 has long taken a “comply or explain” approach to the corporate governance practices of Canadian issuers, most recently with respect to the representation of women on the boards of directors and in executive officer positions.
While Canada does not have a “comply and explain” regime in place with respect to cybersecurity experts at the board level, regulators have published various instruments which address cybersecurity. For example, the Canadian Securities Administrators has released CSA Staff Notice 11-326, which suggests, among other things, that issuers review their cybercrime risks and consider whether they should disclose their cybersecurity risk control measures.
Although the Bill is not yet law (it is currently under review by the Committee on Banking, Housing and Urban Affairs), it is an indicator that, from a capital markets perspective, cybersecurity is being viewed as a critical part of corporate risk management. If the Bill becomes law, it remains to be seen whether Canadian issues listed on U.S. securities exchanges will be subject to its requirements. Regardless, it behooves both public and private companies to take note of cybersecurity threats and to mitigate the attendant risk by including individuals with the relevant expertise and/or experience in the key decision-making functions within the organization.
Consider whether your organization has the necessary experience and expertise to address cybersecurity threats and to properly consider these issues at the board and executive management levels.