Yet Another Proposal to Require Disclosure of Board’s Cyber Expertise
Before investing in a company, would you want to know whether the board of directors had cybersecurity expertise?
A bipartisan group of senators have proposed a bill, Senate Bill 592, that would require every public company to disclose the cybersecurity background of its directors, and, if none exists, explain why the company doesn’t believe it is necessary.
The new legislation—formally “A bill to amend the Securities and Exchange Act of 1934 to promote transparency in the oversight of cybersecurity risks at publicly traded companies”—was introduced by Senator Jack Reed (D-RI) on February 28, and is co-sponsored by Senators Collins (R-ME), Warner (D-VA), Kennedy (R-LA), and Jones (D-AL).
By requiring disclosure of whether cybersecurity expertise exists on a public company’s board, the bill’s sponsors want to promote transparency and give investors and the public “a clear understanding of whether publicly traded companies are prioritizing cybersecurity and have the capacity to protect investors and customers from cyber related attacks,” according to Senator Reed’s statement introducing the bill.
The disclosure law does not require that public companies have a cybersecurity expert on their boards. One of its proponents, Harvard Law School Prof. John Coates, described the disclosure requirements as encouraging flexibility; a company might disclose that it had a board member with cyber expertise, or could “choose to hire outside cyber consultants,” or “boost cybersecurity expertise on staff” rather than hiring a director with particular experience with or knowledge of cybersecurity.
Senator Reed introduced a similar bill in 2015 and another in 2017, but neither left committee. The present bill, however, has picked up a number of additional co-sponsors and dovetails with the U.S. Securities and Exchange Commission’s increased focus on cybersecurity disclosures. In early 2018, the SEC released guidance for public companies about cybersecurity risks and incidents. The SEC’s guidance focused on when a company must disclose the risk of a cybersecurity incident or attack, but also touched on directors’ responsibilities as well, noting that disclosures must include a description “of how the board administers its risk oversight function” and that “[t]o the extent cybersecurity risks are material to a company’s business, we believe this discussion should include the nature of the board’s role in overseeing management of that risk.” The SEC further observed that “we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”
The bill has now been referred to the Committee on Banking, Housing, and Urban Affairs, and we will provide further updates as it progresses.