top of page

Senate Bill Would Compel Firms to Say If Cybersecurity Expert Sits on Board

Legislation introduced in the Senate would require publicly traded companies to disclose to regulators whether any members of their boards of directors have cybersecurity expertise.

The Cybersecurity Disclosure Act of 2017 would not require companies to have a cybersecurity expert on their boards. Instead, it would require them to explain in its filings with the Securities and Exchange Commission whether such expertise exists on their boards and, if not, why this expertise is unnecessary because of other steps taken by the company. The bill's sponsors - Democrats Mark Warner of Virginia and Jack Reed of Rhode Island and Republican Susan Collins of Maine - characterize the legislation as a consumer- and shareholder-protection measure.

"It is in the best interest of consumers and shareholders for companies to fully disclose the plans they've set in place to defend against [data breaches]," Warner said in a statement announcing the legislation. "This legislation provides needed transparency in an often shrouded process that directly affects the privacy of millions, and will serve as tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks."

Reed cited the 2014 breach of the social media company Yahoo that exposed 500 million user accounts as demonstrating the need for the bill. He specifically referenced Yahoo’s 10K annual report, filed March 1 with the SEC, which states that an independent board of directors' committee investigating the cyberattack "found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 security incident.

The Rhode Island senator suggested that lack of board understanding regarding the breach showed that Yahoo failed to consider cybersecurity as a critical business practice. "Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight," Reed said. "This legislation will highlight how focused firms are in terms of data security and safeguarding private information and should encourage more companies to improve their cyber-governance. Through simple disclosure, we can strengthen cybersecurity oversight."

Westby, CEO of the consultancy Global Cyber Risk, says she doesn't see the legislation as being onerous. "It's not going to put a big burden on business," she says. "It's just going to drive and push them to become more aware of why they need to have this expertise, and if they don't have it, then to get it to help them make informed decisions that will protect the shareholders."

"As cyberattacks become increasingly common, Congress must take action to better protect Americans from hackers attempting to steal sensitive data and personal information [by making] sure companies disclose to the public the basic steps they are taking to protect their businesses from cyberattacks," Collins said.

Read full article:

bottom of page