In 2015, The United States Senate introduced the Cybersecurity Disclosure Act of 2015, the goal of which being to “promote transparency in the oversight of cybersecurity risks at publicly traded companies.”
Two crucial revelations to come out of the bill are as follows:
(1) to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; and
(2) if no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee."
Proposed US Senate Bill, Cybersecurity Disclosure Act of 2015
The pressure on boards of directors to take cybersecurity risk into account continues to escalate, with the latest push being the recently proposed Cybersecurity Disclosure Act of 2015. Whether or not this bill passes, it highlights the increasing regulatory concern that companies are not doing enough to oversee cybersecurity risk at the boardroom level.
In managing and directing corporate affairs, boards have an obligation to the shareholders to protect corporate assets, including confidential and proprietary information, reputation, and goodwill. This includes overseeing the programs that management has put in place to identify, mitigate, and manage risks to the company’s business operations. The challenge is that boards continue to lack the expertise to judge the adequacy of management's information security programs. Even when guidance is supplied on questions to be asked by the board to management, without the proper background in cybersecurity and risk, boards are left lacking when it comes to assessing whether the answers supplied are sufficient or reasonable. Thus the call and increasing pressure for boards to include advisors or members who can supply the cybersecurity expertise needed.
This pressure has been highlighted in recent years in such areas as the National Association of Corporate Directors (NACD) board guidance on cybersecurity and SEC statements on the board's need to oversee cybersecurity risk. Where appropriate, cyber risk disclosure is now a requirement in Form 10-K and 10-Q filings. The 2015 Weil, Gotshal & Manges LLP report Cybersecurity, Financial Reporting and Disclosure Challenges, details the actions boards should be considering to address these expectations and evolving requirements regarding their cybersecurity and risk obligations.
As the proposed cybersecurity bill highlights, the pressure to disclose whether there are adequate resources on the board to properly manage these risks will only be increasing. The time for boards to act is now, before the crisis or breach occurs that forces the issue into the forefront and before the question is brought to a head in litigation from disgruntled shareholders or impacted customers or consumers.
This piece was originally posted on LinkedIn Pulse and is reposted here with the permission of Michael Lines.
Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here.
Submit a Comment