Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

New Bill Forces Cybersecurity Responsibility Into the Boardroom

Board Room

Board Room

Cybersecurity Disclosure Act of 2017 Forces Cybersecurity Responsibility Into the Boardroom

The need for board-level responsibility for cyber security is generally accepted but not always applied. A new bill introduced to the Senate seeks to change this by requiring a board level statement of cyber security expertise or practice in annual SEC filings.

S536, cited as the ‘Cybersecurity Disclosure Act of 2017’, is sponsored by Democrats Mark Warner of Virginia and Jack Reed of Rhode Island, and Republican Susan Collins of Maine. Its purpose is to promote transparency in the oversight of cybersecurity risks at publicly traded companies. 

The bill (PDF) defines a cyber security threat as any action not protected by the First Amendment that “may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system…”

The bill then proposes just three requirements under the aegis of the Securities and Exchange Commission (SEC): that annual reports to the SEC must disclose the level of cyber security expertise of the board; or, if none exists, what “other cybersecurity steps taken by the reporting company were taken into account”; and that the definition of what constitutes that expertise should come from the SEC in consultation with NIST.

Learn More at SecurityWeek’s CISO Forum at the Ritz-Cartlgon, Half Moon Bay

“It is in the best interest of consumers and shareholders for companies to fully disclose the plans they’ve set in place to defend against [data breaches],” Warner said in a statement announcing the legislation. “This legislation provides needed transparency in an often-shrouded process that directly affects the privacy of millions, and will serve as tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks.”

The effect of the bill will be to make the board legally and transparently responsible for cyber security. It is not the first regulation to seek this effect in 2017. On 1 March, the New York Department of Financial Services’ 23 NYCRR 500 regulation came into force. That regulation imposes a responsibility for regulated organizations to name a ‘CISO’ who will provide an annual cyber security report to be submitted and signed off by the board to the regulator.

Taken together, these two examples of new regulations suggest that regulatory authorities are no longer satisfied to make recommendations about board-level security responsibility, but are now ready to mandate and legally require it.

The implication is that it is no longer sufficient that organizations should have security in the board, it will increasingly become a legal requirement.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.