Two senators want to induce corporations reveal how much their leaders know about cybersecurity.
The Cybersecurity Disclosure Act, from Sens. Susan Collins( R-Maine) and Jack Reed( D-R.I .), would require companies to detail the cyber expertise of their top officers, including boards of directors and general partners.
If passed, the bill would direct the Securities and Exchange Commission to issue rules necessitating public companies to report their top employees’ cybersecurity knowledge in their annualSECfilings.
Such reporting would includewhether any member of the governingbody, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience.
If no one in these stances at a company has cybersecurity knowledge, that company would have to explain how its cybersecurity posture factored into decisions about members of the security council selection.
What were trying to do is have public companies recognize the need to have a cyber expert on their committee or accessible to their committee, Reed told the Hill .
No one would dispute the need for companies to improve their cyberdefenses across the board, but it’s unclear whether requiring SEC-defined “experience in cybersecurity” at the board level will bring about security improvements.
Dave Weinstein, New Jersey’s first cybersecurity adviser, said he worried that the bill would become another exercising in checking boxes at theboard level when it is necessary to cybersecurity while exerting artificial regulatory pressures.
I believe board emphasis is really important but … Congress is naive when it comes to standards for expertise or even experience, Weinstein said in an interview conducted via Twitter direct message. We should leave it upto companies to differentiate themselves voluntarily by implementing each level of committee focus.
Weinstein said that he supported new legislation to bolster cybersecurity but advised Congress to focus on transparency instead of corporate leadership structure. He suggested that Congress involve the disclosure of more information about data violates, which have grown more destructive in the last few years.
It’s ironic to me that Congress is so uninformed about this topic, Weinstein told, yet they want to mandate controls on companies aroundexperience and expertise, whether it’s at the board or IT level.
Congress began paying close attention to cybersecurity after last spring’s Office of Personnel Management data breach. Lawmakers pushed through a controversial bill to encourage companies to share cyber threat data with the governmental forces, and one of the bill’s result authors promised to hold regular hearings to monitor its implementation.
H/ T the Hill | Illustration via Max Fleishman