Blog: Bipartisan Senate Bill Introduced To Require Public Companies To Increase Transparency Regarding Board Oversight Of Cybersecurity Risks

Cydney Posner
Cooley LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Senators Jack Reed and Susan Collins have introduced the bipartisan Cybersecurity Disclosure Act of 2015, a bill to promote transparency in the oversight of cybersecurity risks at publicly traded companies.  According to the press release, the bill is designed to ensure that public companies “provide a basic amount of information about the degree to which a firm is protecting the economic and financial interests of the firm from cyber attacks.”  In addition, the bill “seeks to strengthen and prioritize cybersecurity at publicly traded companies by encouraging the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at these companies.”

Sidebar: More regulation by humiliation?

The Senators report that “[c]yberattacks on large companies skyrocketed 44% last year over 2013 levels, and cybercrime costs businesses more than $400 billion a year, according to Lloyd’s of London.” At the same time, “[a]ccording to the National Association of Corporate Directors, just 11% of public-company boards questioned this year reported a high-level understanding of cybersecurity.  According to the Los Angeles Times, a review by the New York Stock Exchange and security firm Veracode found that two-thirds of board members questioned think their companies are ill-prepared for a cyberattack.  An analysis by PricewaterhouseCoopers found that 30% of boards surveyed never talk about cybersecurity at all.”  In addition, directors participating in a 2013 NACD roundtable acknowledged that their lack of adequate knowledge about cybersecurity made effective oversight of cybersecurity activities a challenge.

The bill would require the SEC, within 360 days after enactment of the bill, to issue final rules to require each public reporting company to disclose whether any of its directors “has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience.” If no director has expertise or experience, the rules would require the company “to describe what other cybersecurity steps taken by the reporting company were taken into account” by the board’s nominating committee in nominating directors.  As the press release describes it, this element would require the company to explain “why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the publicly traded company.” The disclosure would be required in proxy statements or Annual Reports on Form 10-K.

“Cybersecurity expertise or experience” would be defined by the SEC in coordination with the National Institute of Standards and Technology, but could include elements such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating or addressing cybersecurity threats.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP
Cooley LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide