A bill recently introduced in the US Senate, the Cybersecurity Disclosure Act of 2015 (S. 2410), is additional evidence that cybersecurity and data protection should be viewed as critical issues in corporate governance. The legislation has not been passed, but is under review by the Senate Banking Committee.
The bill would apply to “public companies,” i.e., those with stock or securities traded on a U.S. stock exchange or in over-the-counter markets. Public companies would be required to disclose whether any Board member has experience or expertise in cybersecurity, and to describe the nature of that experience or expertise. If no Board member has cybersecurity experience, the company would have to disclose why the Board concluded that it was not necessary to have cybersecurity expertise on the Board of Directors – for instance, due to existing cybersecurity measures or to the company’s other specific circumstances. The US Securities and Exchange Commission (SEC) would issue rules detailing these disclosure requirements.
The legislation was introduced by Senators Jack Reed (D-RI) and Susan Collins (R-ME), who both serve on the Senate Select Committee on Intelligence. It therefore has bi-partisan support in the U.S. Congress, which means that it will be given serious consideration by both Democratic and Republican legislators.
In introducing the bill, Senator Reed explained:
Investors and customers deserve a clear understanding of whether publicly traded companies are not only prioritizing cybersecurity, but also have the capacity to protect investors and customers from cyber related attacks. This bill aims to provide a better understanding of these issues through improved SEC disclosure.
This bill is further evidence that cybersecurity is a top-management responsibility and that corporate boards will be held accountable for ensuring that the Board has taken measures to implement adequate data security and privacy protections. While this legislation may not be passed by Congress in this busy election year, it is another wake-up call for corporate boards.
As shown by recent actions taken by the SEC and the Federal Trade Commission, companies that handle confidential or sensitive data are viewed as having a legal obligation to implement reasonable cybersecurity standards and take reasonable action to guard against data breaches. This bill demonstrates that those obligations, far from being the concern mainly of IT and compliance professionals, are increasingly becoming issues requiring the attention of the Board.