Security Experts:

Connect with us

Hi, what are you looking for?



New Bill Forces Cybersecurity Responsibility Into the Boardroom

Board Room

Board Room

Cybersecurity Disclosure Act of 2017 Forces Cybersecurity Responsibility Into the Boardroom

The need for board-level responsibility for cyber security is generally accepted but not always applied. A new bill introduced to the Senate seeks to change this by requiring a board level statement of cyber security expertise or practice in annual SEC filings.

S536, cited as the ‘Cybersecurity Disclosure Act of 2017’, is sponsored by Democrats Mark Warner of Virginia and Jack Reed of Rhode Island, and Republican Susan Collins of Maine. Its purpose is to promote transparency in the oversight of cybersecurity risks at publicly traded companies. 

The bill (PDF) defines a cyber security threat as any action not protected by the First Amendment that “may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system…”

The bill then proposes just three requirements under the aegis of the Securities and Exchange Commission (SEC): that annual reports to the SEC must disclose the level of cyber security expertise of the board; or, if none exists, what “other cybersecurity steps taken by the reporting company were taken into account”; and that the definition of what constitutes that expertise should come from the SEC in consultation with NIST.

Learn More at SecurityWeek’s CISO Forum at the Ritz-Cartlgon, Half Moon Bay

“It is in the best interest of consumers and shareholders for companies to fully disclose the plans they’ve set in place to defend against [data breaches],” Warner said in a statement announcing the legislation. “This legislation provides needed transparency in an often-shrouded process that directly affects the privacy of millions, and will serve as tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks.”

The effect of the bill will be to make the board legally and transparently responsible for cyber security. It is not the first regulation to seek this effect in 2017. On 1 March, the New York Department of Financial Services’ 23 NYCRR 500 regulation came into force. That regulation imposes a responsibility for regulated organizations to name a ‘CISO’ who will provide an annual cyber security report to be submitted and signed off by the board to the regulator.

Taken together, these two examples of new regulations suggest that regulatory authorities are no longer satisfied to make recommendations about board-level security responsibility, but are now ready to mandate and legally require it.

The implication is that it is no longer sufficient that organizations should have security in the board, it will increasingly become a legal requirement.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...