Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

U.S. Senators Introduce SEC Cybersecurity Disclosure Legislation

Cybersecurity Disclosure Act of 2015 Would Prioritize Cybersecurity at Public Companies Through SEC Disclosures  

Cybersecurity Disclosure Act of 2015 Would Prioritize Cybersecurity at Public Companies Through SEC Disclosures  

U.S. Senators Jack Reed (D-RI) and Susan Collins (R-ME) introduced the bipartisan Cybersecurity Disclosure Act of 2015 on Thursday, a bill that seeks to encourage the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at publicly traded companies.

Cybersecurity Disclosure Act of 2015

In response to a wave of massive data breaches in recent years, the Reed-Collins legislation asks publicly traded firms to include cybersecurity related details in Securities and Exchange Commission (SEC) filings.

The legislation asks each publicly traded company to disclose information to investors on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the publicly traded company. 

The legislation would not require companies to take any actions other than to provide disclosure.

“The bill would encourage boards to be take direct responsibility for cybersecurity through a light touch ‘comply or disclose’ approach, preserving flexibility for companies to respond to cyber threats in a tailored and cost-effective way,” said Harvard University School of Law Professor John Coates.

“Cybersecurity is one of the most significant and enduring challenges businesses face and should be accounted for as part of the corporate risk management process.  Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight,” said Senator Reed, a senior member of the Senate Banking Committee.  “This legislation will highlight how focused firms are in terms of data security and safeguarding private information and should encourage more companies to improve their cybergovernance.”

Advertisement. Scroll to continue reading.

A study released earlier this year from the Ponemon Institute found that 78 percent of the more than 1,000 CIOs, CISOs and senior IT leaders surveyed had not briefed their board of directors on cybersecurity in the last 12 months. In addition, 66 percent said they don’t believe senior leaders in their organization consider security a strategic priority. 

A separate survey published in January by the National Association of Corporate Directors (NCD) that found that more than half (52 percent) of the 1,013 corporate directors surveyed were not satisfied with the amount of information they were receiving about cyber-security. In addition, 36 percent said they were unsatisfied with the quality of that information.

“For decades the SEC has had the mandate to make sure investors and shareholders have similar information as insiders. Unfortunately, the annual disclosures made by publicly traded companies have not kept pace with the pace of technological innovation.  Our bill fixes that by making sure that firms provide a basic amount of information about the degree to which a firm is protecting the economic and financial interests of the firm from cyber attacks,” said Senator Collins, a member of the Senate Select Committee on Intelligence.

Related: NYSE Survey Examines Cybersecurity in the Boardroom

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...