New bill would require public companies to disclose cybersecurity credentials

Congress to consider SEC filing add-on

A new bill introduced to Congress on Thursday would require US publicly listed companies to disclose who on their Board has cybersecurity expertise.

If it passes, the Cybersecurity Disclosure Act of 2015 would oblige companies to add details of which, if any, of their directors know about online security in filing to the Securities and Exchange Commission (SEC).

The idea is to prompt public companies to recognize their own failings in terms of protecting their data in the wake of a number of high-profile hacking cases and increasingly aggressive state-sponsored efforts to get at valuable commercial information.

The bill is bipartisan, having been put forward by senators Jack Reed (D-RI) and Susan Collins (R-ME). It would ask all public companies to disclose information to investors on whether any member of the company’s directors is a cybersecurity expert, and if not, why having this expertise is not necessary. It would not require the companies to take action.

Just 11 per cent of public boards have a "high-level understanding of cybersecurity," according to the National Association of Corporate Directors. According to the Los Angeles Times, two-thirds of public-company board members feel they are ill-prepared for a cyberattack. PricewaterhouseCoopers found that 30 per cent of boards surveyed never talk about cybersecurity at all.

A survey of over 1,000 senior IT people by the Ponemon Institute found that 78 per cent of them had not been asked to brief their Board in the previous year, and 66 per cent of those surveyed said they didn't think security was a strategic priority for their company.

Get with the program

"Cybersecurity is one of the most significant and enduring challenges businesses face and should be accounted for as part of the corporate risk management process," said Senator Reed. "Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight."

The idea of forcing public companies to face their cybersecurity failures is not a new one.

Back in January, in the wake of the Sony Picture hack, the SEC said it was considering measures to force companies to disclose more information about data breaches and related cybersecurity issues.

The previous year, the SEC even held a meeting on that very topic, where it outlined a study it had carried out on the top 100 financial firms in terms of cybersecurity. But companies have been reticent, claiming that providing such information could be an invitation for shareholder lawsuits.

But the idea of more disclosure goes back even further: to 2011, when senate commerce committee chair Jay Rockefeller made the suggestions that public companies provide information about cybersecurity failings – something he reiterated in 2013. ®

Sponsored: Becoming a Pragmatic Security Leader

Biting the hand that feeds IT © 1998–2019