Legislation introduced in the U.S. Senate last week would require companies to disclose to investors, in their Securities Exchange Commission statements, if anyone on their board of directors is a cybersecurity expert.
The Cybersecurity Disclosure Act was introduced by
Sen. Mark Warner (D-VA), vice chairman of the Senate Intelligence Committee, along with Sens. Jack Reed
(D-RI) and Susan Collins (R-ME).
If a company does not have a cybersecurity expert on its board, the bill says companies must state why having this expertise on the board is not necessary because of other cybersecurity steps taken by the company.
“All public companies face threats daily from determined cyber-attackers out to steal their data. As we’ve seen with data breaches at retailers like Target and service providers like Yahoo, it is in the best interest of consumers and shareholders for companies to fully disclose the plans they’ve set in place to defend against them,” Warner said. “This legislation provides needed transparency in an often shrouded process that directly affects the privacy of millions, and will serve as tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks.”
Reed said cybersecurity is one of biggest challenges facing businesses.
“Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight,” Reed said. “This legislation will highlight how focused firms are in terms of data security and safeguarding private information and should encourage more companies to improve their cyber-governance. Through simple disclosure, we can strengthen cybersecurity oversight.”
There were 1,093 breaches in 2016, according to the Identity Theft Resource Center, which marked a 40-percent increase from the prior year.
According to the 2016-2017 NACD Public Company Governance Survey, 59 percent of respondents said it is challenging to oversee cyber risk. Only 19 percent of respondents said that their boards possess a high level of knowledge about cybersecurity.
“As cyber-attacks become increasingly common, Congress must take action to better protect Americans from hackers attempting to steal sensitive data and personal information,” Collins said. “Our bill would make sure companies disclose to the public the basic steps they are taking to protect their businesses from cyber-attacks.”
The Cybersecurity Disclosure Act of 2017 is supported by consumer advocates and securities law experts, including the Consumer Federation of America, Harvard University School of Law Professor John Coates, Columbia University School of Law Professor John Coffee, and former International Monetary Fund Chief Economist and Massachusetts Institute of Technology Professor Simon Johnson.