What CISOs Need to Know about the Proposed Cybersecurity Disclosure Act

January 11, 2019  1440

Now working its way through the U.S. Senate, the Cybersecurity Disclosure Act of 2017 is a simple bill that would have a far-reaching effect: To “make sure companies disclose to the public the basic steps they are taking to protect their businesses from cyber attacks,” as co-sponsor Sen. Susan Collins (R-ME) framed it.

What the Cybersecurity Disclosure Bill Says

The bill is about disclosure only; no security measures are mandated, at least not directly. As part of their annual reporting to the Securities and Exchange Commission (SEC), public companies would have to disclose:

  • If a member of the board “has expertise or experience in cybersecurity”.
  • And, if not, be able to cite “what other cybersecurity steps” were taken by the company.

What’s New and Different Here?

Requiring board expertise in information security would be a novelty in corporate America, at least outside of companies in the information security business. Huntington Bancshares and J.C. Penney recently added retired National Security Agency officials to their boards, both of which are instances of this new trend.

More significantly, the Disclosure Act would hold boards of directors responsible for protecting their companies and their investors from data breaches, hack attacks and other cyber threats. And it would elevate cyber to the list of other “risk factors” that public companies must disclose, such as litigation, high debt levels or labor problems.

What’s the Outlook for this Cybersecurity Legislation?

The bill has bipartisan support – Democrats Jack Reed of Rhode Island and Mark Warner of Virginia co-sponsor with Republican Susan Collins – which is a positive sign. On the down side, Collins and Reed introduced the same bill in 2015, and couldn’t push it through.

However, a lot has changed since 2015 to raise the profile for cybersecurity as a business and political issue after several events made big headlines: the data breach at Yahoo cost the company hundreds of millions off its purchase price from Verizon; hackers ravaged servers at Sony Pictures; and $81 million was stolen from the central bank of Bangladesh, also the handiwork of online hackers. And, let's not forget the Democratic National Committee's email hack of 2016.

If the bill makes it into law, regulations from the SEC will follow, outlining exactly how companies should define and disclose cybersecurity risks and mitigation. The bill directs the SEC to work with the National Institute of Standards and Technology (NIST) to define acceptable "experience in cybersecurity" for board members.

While the Trump Administration generally leans toward lighter regulation, it could turn out to be more activist on the cyber side. An executive order on information security is underway, and Jay Clayton, the newly appointed head of the SEC, brings prior experiencing in leading the cybersecurity practice at a prestigious Wall Street law firm, advising clients on risk and liability. In 2015, he collaborated with other attorneys on an appeal for a “9-11-type Cyber Threat Commission”.

What’s the Bottom Line?

Boards of directors should take heed of legislation like the Cybersecurity Disclosure Act of 2017, as well as the recent regulations from the New York Department of Financial Services that require boards of financial companies to sign off on an annual cyber-risk assessment—and ask now if they’re prepared to stand up in front of regulators and make a quantifiable statement on the business impact of information security. And CISOs should be prepared to answer.