Senator John D. Rockefeller IV (D., W.Va.) recently sent a letter to the CEOs of all Fortune 500 companies asking the companies for more information about their cybersecurity practices.  The letter comes a month after Senate Republicans filibustered and blocked a bill that would have established voluntary computer security standards for companies running critical infrastructure system, including the electric grid and Wall Street. 

 In the letter, Senator Rockefeller asks the companies to provide the Senate Commerce Committee with answers to eight questions about their cybersecurity needs, as well as their views on the Cybersecurity Act of 2012, by October 19th. 

These questions are as follows: 

  • Has your company adopted a set of best practices to address its own cybersecurity needs?  
  • If so, how were these cybersecurity practices developed?  
  • Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them.
  • When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?
  • Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?  
  • What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?
  • What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?  
  • What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?

Although the companies receiving the letter are not legally obligated to respond, the letter is further evidence that, even though Congressional action has ground to a halt, the quest for cybersecurity legislation is not going away.   According to a report in The Hill, two U.S. Senators have called on President Obama to issue an executive order to address urgent action and a critical need to fill the cybersecurity void. 

Companies should be proactive and implement cybersecurity safeguards and policies now so that these protections are already in place by the time any regulatory action is taken.