Cybersecurity Disclosure Act of 2015 Would Prioritize Cybersecurity at Public Companies Through SEC Disclosures
U.S. Senators Jack Reed (D-RI) and Susan Collins (R-ME) introduced the bipartisan Cybersecurity Disclosure Act of 2015 on Thursday, a bill that seeks to encourage the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at publicly traded companies.
In response to a wave of massive data breaches in recent years, the Reed-Collins legislation asks publicly traded firms to include cybersecurity related details in Securities and Exchange Commission (SEC) filings.
The legislation asks each publicly traded company to disclose information to investors on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the publicly traded company.
The legislation would not require companies to take any actions other than to provide disclosure.
“The bill would encourage boards to be take direct responsibility for cybersecurity through a light touch ‘comply or disclose’ approach, preserving flexibility for companies to respond to cyber threats in a tailored and cost-effective way,” said Harvard University School of Law Professor John Coates.
“Cybersecurity is one of the most significant and enduring challenges businesses face and should be accounted for as part of the corporate risk management process. Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight,” said Senator Reed, a senior member of the Senate Banking Committee. “This legislation will highlight how focused firms are in terms of data security and safeguarding private information and should encourage more companies to improve their cybergovernance.”
A study released earlier this year from the Ponemon Institute found that 78 percent of the more than 1,000 CIOs, CISOs and senior IT leaders surveyed had not briefed their board of directors on cybersecurity in the last 12 months. In addition, 66 percent said they don't believe senior leaders in their organization consider security a strategic priority.
A separate survey published in January by the National Association of Corporate Directors (NCD) that found that more than half (52 percent) of the 1,013 corporate directors surveyed were not satisfied with the amount of information they were receiving about cyber-security. In addition, 36 percent said they were unsatisfied with the quality of that information.
“For decades the SEC has had the mandate to make sure investors and shareholders have similar information as insiders. Unfortunately, the annual disclosures made by publicly traded companies have not kept pace with the pace of technological innovation. Our bill fixes that by making sure that firms provide a basic amount of information about the degree to which a firm is protecting the economic and financial interests of the firm from cyber attacks,” said Senator Collins, a member of the Senate Select Committee on Intelligence.