Security experts have long pressured companies to bring cyber-security expertise onto their boards of directors. Newly proposed legislation could apply even more pressure.
U.S. Senators Jack Reed (D-R.I.) and Susan Collins (R-Maine) have introduced the bipartisan Cyber-security Disclosure Act of 2015. It seeks to strengthen and prioritize cyber-security at publicly traded companies by encouraging the disclosure of cyber-security expertise, or lack thereof, on corporate boards at these companies.
According to the National Association of Corporate Directors, just 11 percent of public-company boards that were surveyed reported a high-level understanding of cyber-security. A similar analysis by PwC found that 30 percent of boards surveyed never discuss cyber-security issues at all.
The Reed-Collins legislation asks each publicly traded company to include in its Securities and Exchange Commission disclosures information on whether any member of the company’s Board of Directors is a cyber-security expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cyber-security steps taken by the publicly traded company. The legislation does not require companies to take any actions other than to provide this disclosure.
“For decades the SEC has had the mandate to make sure investors and shareholders have similar information as insiders,” Collins said in a statement. “Unfortunately, the annual disclosures made by publicly traded companies have not kept pace with the pace of technological innovation. Our bill fixes that by making sure that firms provide a basic amount of information about the degree to which a firm is protecting the economic and financial interests of the firm from cyber-attacks.”
The bill “amounts to a moderate, and reasonable regulatory nudge that pushes public companies to give greater attention to cyber-security issues without mandating an inflexible board structure or insisting that ‘one size fits all.’ This will help spur action, but still permit diverse approaches to a developing problem,” says Columbia University School of Law Professor John Coffee, a supporter of the legislation.