On December 17, 2015, Senators Jack Reed and Susan Collins introduced the Cybersecurity Disclosure Act of 2015, a proposed bill that would require publicly traded companies to disclose, in their investor filings with the U.S. Securities and Exchange Commission ("SEC"), whether any member of their board of directors is a "cybersecurity expert." If a company lacks a cybersecurity expert, the proposed bill would compel the company to explain in its disclosures why an expert is not necessary and the additional measures the company is taking to improve cybersecurity. According to a statement by Senators Reed and Collins, the "legislation would not require companies to take any action other than to provide this disclosure." The bill would also require the SEC and the National Institute of Standards and Technology to provide guidance on the qualifications necessary to be a cybersecurity expert.
Noting in their statement that the annual disclosures of publicly traded companies "have not kept pace with technological innovation," the senators explained that their bill proposes to increase transparency for investors and consumers as well as ensure that companies provide a basic amount of information about the degree to which a firm is protecting its economic and financial interests from cyber attacks.
While the proposed bill is a direct response to the recent rise in high-profile data breaches and cyber attacks that large companies have suffered over the previous year, it is misguided. Requiring at least one member of the board of directors to be a so-called "cybersecurity expert" reflects a fundamental lack of understanding of the role of directors. Regardless of whether board members have specific cybersecurity expertise, companies need to sharpen their focus on data privacy and cybersecurity issues.
The potential legislation also underscores the need to allocate sufficient resources to address cybersecurity risks. As breaches occur with alarming regularity, companies are grappling with the consequences—not only in terms of exposure of sensitive digital assets but also the resulting damage to shareholder value and brand reputation, as well as the threat of regulatory investigations and litigation. In their statement, Senators Reed and Collins cited a report from the National Association of Corporate Directors that only 11 percent of public company boards reported a high-level understanding of cybersecurity. The senators also cited an analysis by PricewaterhouseCoopers, which found that 30 percent of boards surveyed never talk about cybersecurity at all. Notably, the senators failed to describe the parameters used in determining the boards to be included in the survey.
Any number of experts would likely enhance the quality of a particular board of directors, but a one-size-fits-all approach is imprudent, reflects a misunderstanding of the role of the board of directors, and does not address the fundamental issue at hand—the need for companies to allocate the necessary attention and resources to the cybersecurity risks they are facing in the technologically evolving world in which they operate.
As cybersecurity increasingly becomes a focal point of regulatory scrutiny and enforcement efforts, agencies like the Federal Trade Commission and SEC expect boards to step up their involvement in cybersecurity oversight. SEC Commissioner Louis Aguilar recently warned that "Board oversight of cybersecurity risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks…. [B]oards that choose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril."
The SEC has already made it clear that companies must disclose material cybersecurity risks and incidents to investors in their public filings. Companies looking for guidance on their disclosure requirements should consult the SEC's 2011 guidance on the issue as well as Commissioner Aguilar's speech about the responsibilities of boards and directors in overseeing and managing cybersecurity risk. Firms should also keep an eye on the SEC's Cybersecurity Examination Initiative, which outlines the cybersecurity risks and issues that SEC Examiners prioritize when assessing whether registered broker-dealers, investment companies, and investment advisers have implemented adequate procedures and controls.
With the ongoing deluge of data breaches and the efforts of regulators, including the proponents of the proposed bill to hold companies responsible, it remains clear that managing cybersecurity risk is a critical element of an enterprise risk management strategy. This proposed bill could vastly expand companies' disclosure requirements and turn on its ear the role of the board from one of oversight to one of hands-on management.
Of course, cybersecurity is a topic that most companies and their boards have considered in depth. The approach to address this topic varies widely company by company depending on a host of factors. As such, this is an area in which, in our view, private ordering rather than a misguided one-size-fits-all solution is appropriate as a policy matter.