Senators Jack Reed and Susan Collins have introduced the bipartisan Cybersecurity Disclosure Act of 2015, a bill to promote transparency in the oversight of cybersecurity risks at publicly traded companies. According to the press release, the bill is designed to ensure that public companies “provide a basic amount of information about the degree to which a firm is protecting the economic and financial interests of the firm from cyber attacks.” In addition, the bill “seeks to strengthen and prioritize cybersecurity at publicly traded companies by encouraging the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at these companies.”
Sidebar: More regulation by humiliation?
The Senators report that “[c]yberattacks on large companies skyrocketed 44% last year over 2013 levels, and cybercrime costs businesses more than $400 billion a year, according to Lloyd’s of London.” At the same time, “[a]ccording to the National Association of Corporate Directors, just 11% of public-company boards questioned this year reported a high-level understanding of cybersecurity. According to the Los Angeles Times, a review by the New York Stock Exchange and security firm Veracode found that two-thirds of board members questioned think their companies are ill-prepared for a cyberattack. An analysis by PricewaterhouseCoopers found that 30% of boards surveyed never talk about cybersecurity at all.” In addition, directors participating in a 2013 NACD roundtable acknowledged that their lack of adequate knowledge about cybersecurity made effective oversight of cybersecurity activities a challenge.
The bill would require the SEC, within 360 days after enactment of the bill, to issue final rules to require each public reporting company to disclose whether any of its directors “has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience.” If no director has expertise or experience, the rules would require the company “to describe what other cybersecurity steps taken by the reporting company were taken into account” by the board’s nominating committee in nominating directors. As the press release describes it, this element would require the company to explain “why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the publicly traded company.” The disclosure would be required in proxy statements or Annual Reports on Form 10-K.
“Cybersecurity expertise or experience” would be defined by the SEC in coordination with the National Institute of Standards and Technology, but could include elements such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating or addressing cybersecurity threats.