With cybersecurity attacks on the rise and amid growing calls for transparency in the private sector, public companies may soon be required to disclose whether they have any cybersecurity experts on their Boards of Directors in their periodic filings to the US Securities and Exchange Commission (SEC). The pending bill, the Cybersecurity Disclosure Act of 2019, is part of a growing trend to enhance the SEC’s oversight of private sector cybersecurity, using the agency’s comprehensive scheme of obligated disclosures to shine a light on corporate efforts to protect against data breaches.
The Cybersecurity Disclosure Act, originally introduced in 2017, was recently reintroduced on March 1 by its three original sponsors: Senators Jack Reed (D-RI), Susan Collins (R-ME), and Mark Warner (D-VA). It also added new Republican and Democratic co-sponsors: Senators John Kenney (R-LA) and Doug Jones (D-AL). The Act directs the SEC to issue final rules requiring a registered issuer to disclose in its mandatory annual report or annual proxy statement which members of its governing body have expertise or experience in cybersecurity. If no member of the Board has such expertise or experience, the issuer must describe “what other company cybersecurity aspects were taken into account by the persons responsible for identifying and evaluating nominees for the governing body.” Representative Jim Himes (D-CT), chairman of the House Intelligence, Strategic Technologies and Advanced Research Subcommittee, introduced companion legislation in the House of Representatives on March 13.
The bipartisan group of sponsors described the proposed disclosure as necessary to inform shareholders and customers whether a company properly prioritizes the cybersecurity of consumer and proprietary information. “Publicly traded companies should have an obligation to let their shareholders know how they are addressing these serious threats or explain why they are not taking measures to counter attacks,”said Rep. Himes in a statement. Sen. Reed, author of the original 2017 legislation, called cybersecurity “one of the most significant and enduring challenges that all businesses, across industries, face and should be accounted for as part of the corporate risk management process.”
The proposed disclosure bears similarity to a 2002 provision of the Sarbanes-Oxley Act that requires a public company to identify which members of its audit committee are “financial experts” in its annual disclosures. This requirement was meant to assure shareholders of the veracity of the company’s auditing process. Sarbanes-Oxley gave the SEC latitude to use its own determination as to what experience was sufficient to qualify as a “financial expert.” Similarly, the Cybersecurity Disclosure Act leaves it to the SEC, in consultation with the National Institute of Standards and Technology, to define what constitutes “cybersecurity expertise.” If the reporting company has no directors who meet this as-yet undefined expertise, the company must explain what cybersecurity precautions or efforts are being undertaken in their absence.
The SEC has increasingly become a forcein the regulation and oversight of corporate cybersecurity measures. In 2011, the agency first advised public companies to report to investors if they had suffered “material” cyberattacks. With little change in the number of reported cyberattacks, the SEC updated its guidance in 2018, issuing a stern warning to public companies to make “timely” disclosure, given the “grave threat” that cyberattacks pose to shareholders and capital markets. The agency has since brought enforcement actions against companies who do not disclose material breaches, including against Yahoo for failing to report in its SEC filings that 500 million user accounts had been compromised.
While the Cybersecurity Disclosure Act mandates no affirmative actions by public companies outside of disclosure, the Act signals continued intent by Congress and the SEC to pressure corporate executives to prioritize cybersecurity and highlight their efforts to investors. Although many companies already make disclosuresabout their cybersecurity risks and preventative measures in other sections of their SEC filings (namely, their Management Discussion and Analysis), the Act could have the effect of adding still more discussion of cybersecurity in another section of their disclosures, or possibly incentivize Boards to bring cybersecurity experts into their fold.