Legislation introduced in the U.S. Senate would require publicly traded companies to disclose to regulators whether any members of their boards of directors have cybersecurity expertise.
The Cybersecurity Disclosure Act of 2017 would not require companies to have a cybersecurity expert on their boards. Instead, it would require them to explain in its filings with the Securities and Exchange Commission (SEC) whether such expertise exists on their boards and, if not, why this expertise is unnecessary because of other steps taken by the company.
The bill’s sponsors — Democrats Mark Warner of Virginia and Jack Reed of Rhode Island and Republican Susan Collins of Maine — characterize the legislation as a consumer- and shareholder-protection measure.
“It is in the best interest of consumers and shareholders for companies to fully disclose the plans they’ve set in place to defend against [data breaches],” Warner said in announcing the legislation. “This legislation provides needed transparency in an often shrouded process that directly affects the privacy of millions, and will serve as tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks.”
The measure has been referred to the Senate Banking, Housing and Urban Affairs Committee. Warner and Reed serve on that committee.
Reed cited the 2014 breach of the social media company Yahoo that exposed 500 million user accounts as demonstrating the need for the bill. He specifically referenced Yahoo’s 10-K annual report, filed March 1 with the SEC, which states an independent board of directors’ committee investigating the cyberattack “found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 security incident. The independent committee also found that the audit and finance committee and the full board were not adequately informed of the full severity, risks and potential impacts of the 2014 security incident and related matters.”
The Rhode Island senator said the lack of board understanding regarding the breach showed Yahoo failed to consider cybersecurity as a critical business practice. “Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight,” Reed said. “This legislation will highlight how focused firms are in terms of data security and safeguarding private information and should encourage more companies to improve their cyber-governance. Through simple disclosure, we can strengthen cybersecurity oversight.”
According to a 2015 report published by the Georgia Institute of Technology, fewer than one-quarter of boards of directors had a member with cybersecurity expertise. The report’s author, Jody Westby, said she believes that percentage likely has not changed much since the report published.