Public Companies and Cybersecurity Talent: Pending Legislation
Publicly traded companies would have to tell investors if any of their board members or general partners are cybersecurity experts and if not, why not, should a new, bipartisan bill introduced on Wednesday become law.
The bill would require public companies to include in Securities and Exchange Commission (SEC) disclosures other cyber risk-lowering measures undertaken beyond seating security experts on their board of directors. There’s no provision in the bill requiring companies to put cybersecurity sharpshooters on their boards. The proposed lower chamber legislation, sponsored by Representative Jim Hines (D-CT), is a companion bill to the upper chamber’s Cybersecurity Disclosure Act of 2019 introduced two weeks ago and sponsored by Sens. Jack Reed (D-RI), Susan Collins, (R-ME), Mark Warner, (D-VA), John Kennedy, (R-LA), and Doug Jones, (D-AL). The sponsors said the bill is intended to better protect customers, increase transparency for investors, and ensure public companies are prioritizing cybersecurity and data privacy.
Earlier legislation in 2017 failed to gain traction in Congress. The sponsors said this bill reflects the growing concern in Congressional circles, no matter how late on the draw, of cybersecurity threats reaching into all areas of industry, whether public or private. However, exactly how the cybersecurity expertise of a board member would suffice to meet the bill’s stated objective isn’t clear. Many public and private companies already recognize the severe threat posed by nation-state bad actors and other hacking gangs and rely on cybersecurity pros to best defend their organizations against attacks. It’s not clear how disclosing to investors the cybersecurity expertise of a board member would actually make a difference in how a company’s risk of being hacked is viewed.
“Publicly traded companies should have an obligation to let their shareholders know how they are addressing these serious threats or explain why they are not taking measures to counter attacks,” Himes said. “Billions of dollars of American wealth are at risk, and I am tired of seeing American companies play catch up against our geo-political rivals or lone-wolf threats.”
To underwrite their rationale for the bill, the sponsoring lawmakers pointed to data from the Identity Theft Resource Center that found a 126 percent rise in the number of data breaches that exposed records containing personal credentials. The increase from 197.6 million in 2017 to 446.5 million in 2018 spanned all industries. In addition, a recent survey by the National Association of Corporate Directors Public Company Governance found that only 52 percent of directors “are confident that they sufficiently understand cyber risks to provide effective cyber-risk oversight.” Less than 60 percent believe their boards are capable of providing effective oversight on cyber risk.
“With growing cyber threats, we must be proactive in bolstering our nation’s cybersecurity,” Sen. Reed said. “This legislation advances that goal by encouraging publicly traded companies to be more transparent about whether and how their Boards of Directors and senior management are prioritizing cybersecurity.