Why it matters
In the continuing efforts to enact cybersecurity legislation and advise the public about cybersecurity preparedness, a new bill introduced in the Senate would mandate that publicly traded companies disclose the cybersecurity expertise or experience found on the board of directors—or lack thereof. Alternatively, the bill would require that the company share what other steps it has taken to identify or evaluate cybersecurity awareness for board members. The Cybersecurity Disclosure Act of 2015, introduced by Sens. Jack Reed (D-R.I.) and Susan Collins (R-Maine), joins a long list of cybersecurity and data breach-related legislation pending in Congress. But the tweak of adding board disclosure requirements—intended to "strengthen and prioritize cybersecurity" at publicly traded companies—is a new twist.
Over the last few years, a myriad of cybersecurity and data breach legislation has been introduced in both the Senate and the House of Representatives, ranging from proposals to create a uniform standard for data breach notification in lieu of the current patchwork of state laws to a proposal that would provide liability protections to entities that voluntarily share lawfully obtained cyber threat information with an Information Sharing and Analysis Organization.
In a new development, two lawmakers introduced a bill that would make cybersecurity personal for publicly traded companies. The Cybersecurity Disclosure Act of 2015, introduced by Sens. Jack Reed (D-R.I.) and Susan Collins (R-Maine), would require the disclosure of cybersecurity expertise or experience represented on a publicly traded company's board of directors or the sharing of other steps the company has taken to identify or evaluate nominees at the board level.
The proposed measure seeks to "strengthen and prioritize cybersecurity at publicly traded companies by encouraging the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at these companies," the legislators explained in a press release about their bill, citing statistics from the National Association of Corporate Directors that just 11 percent of public company boards questioned in 2015 reported a high-level understanding of cybersecurity.
Pursuant to the bill, covered entities would be required to disclose in their Securities and Exchange Commission (SEC) annual reports or proxy statements "whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience."
In addition, "if no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee."
Together with the National Institute of Standards and Technology, the SEC would be tasked to define what constitutes "expertise and experience" in cybersecurity, with the bill considering résumé items such as qualifications in administering information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats.
The lawmakers noted that the legislation does not require companies to take any actions other than to provide the specified disclosure. The proposed legislation follows on currently required disclosures for public companies about why individuals are proposed nominees for directorships in the first place and whether one or more directors qualifies as an "audit committee financial expert."
Introduced in late 2015, the bill was referred to the Senate Committee on Banking, Housing, and Urban Affairs.
Reaction to the proposed law was mixed. In their press release, Sens. Reed and Collins included support from educators. For example, Harvard Law School professor John Coates praised the bill as providing "a light touch 'disclose or comply' approach, preserving flexibility for companies to respond to cyber threats in a tailored and cost-effective way," while John Coffee, a professor at Columbia Law School, characterized the legislation as a "moderate and reasonable 'regulatory nudge' that pushes public companies to give greater attention to cybersecurity issues without mandating an inflexible board structure or insisting that 'one size fits all.'"
On the other end of the spectrum, critics have argued that experts of many kinds are valuable to a board of directors and that the legislation doesn't solve the problem of getting companies to allocate the necessary resources to address cybersecurity threats.
To read the Cybersecurity Disclosure Act of 2015, click here.