Cyber in the Board Room: Balancing Risk and Oversight
Boards of directors remain increasingly exposed to the threat of liability arising from data breaches and other cyber-incidents.
Nearly a year ago, Senators Jack Reed and Susan Collins introduced the Cybersecurity Disclosure Act of 2015, a bill aimed at promoting transparency in the oversight of cybersecurity risks for publicly traded companies. The bill requires the U.S. Securities and Exchange Commission to issue rules requiring each public reporting company to disclose whether any of its directors “has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience.” If no director has that expertise or experience, the company would be required “to describe what other cybersecurity steps taken by the reporting company were taken into account” by the board’s committee that nominates directors. The disclosure would be required in proxy statements or annual reports.
The bill has been stalled in committee and will likely not see a House analogue – much less a vote – any time soon. But it has garnered interest in the business and legal communities due to its potential to increase direct federal regulation in the board room, as well as its implicit mandate that public company boards increase their oversight of cybersecurity and data protection within their organizations.
And two regulators have recently taken aim at the issue of board-level cybersecurity accountability. Last week, federal bank regulators – in an advance notice of proposed rulemaking – announced that they were seeking public comment on standards that would require the nation’s largest banks to beef-up their cybersecurity governance, including board-level approvals and “expertise in cybersecurity.” We discuss this proposal in a recent blog post.
At the state level, New York’s Department of Financial Services has proposed sweeping regulation that will go into effect on January 1, 2017, with unprecedented requirements that far exceed existing federal and state cyber regulation, including board “review” of a required 14-point comprehensive cybersecurity policy and written certification from a senior corporate officer verifying compliance with the regulation. The DFS proposal is covered in this blog post.
Whether the Cybersecurity Disclosure Act of 2015 ever gets legislative traction is a post-election question. But if the newly released requirements from federal and state banking regulators are any indication, cybersecurity should be on the agenda at the next board meeting of companies, large or small.