Amid growing alarm on Capitol Hill over cybersecurity and data privacy, new Senate legislation would require publicly traded companies to disclose in Securities and Exchange Commission (SEC) filings whether they have cybersecurity experts on their boards of directors – and if not, explain why.
Sen. Jack Reed, D-R.I., said his legislation is meant to encourage companies to be more transparent about whether and how their boards and senior management are prioritizing cybersecurity.
His bill – the Cybersecurity Disclosure Act – picked up support from several key lawmakers, such as Sen. Mark Warner, D-Va., one of the Senate’s leading voices on cyber policies and vice chairman of the Intelligence Committee. It also enjoys Republican support, with Sens. Susan Collins, R-Maine, and John Kennedy, R-La., signed on as co-sponsors.
It’s not clear whether data privacy or overall cyber legislation will gain traction in this divided Congress, especially in the runup to the 2020 presidential campaign. Although states are acting individually on data protection requirements and federal pre-emption may be necessary to provide companies and consumers alike with a uniform national standard, Congress lacks bipartisan consensus on a policy solution. When it comes to cyber protections in the private sector, federal lawmakers have done little other than call on companies to invest in protecting their online systems.
But additional cyber breaches could propel Washington to act.
During a recent Senate Banking Committee hearing on capital formation and corporate governance, the committee’s top Democrat, Sen. Sherrod Brown, D-Ohio, recommended Reed’s bill, saying it would improve transparency and promote disclosure.
If the bill does advance in Congress, expect serious pushback from a business community already weary of proxy proposals and demands for action on a wide array of environmental, social and political matters. Some business stakeholders worry the bill could create a cause of action against companies if they experience a data breach. Recently posted text of the legislation appears to contain no safeguards against liability.
What constitutes a cyber expert for a board position on a publicly traded company? Reed’s bill leaves that to the SEC, which would be charged to work with the National Institute of Standards and Technology to develop definitions and implement regulations.
Even as the private sector tries to grapple with growing online threats, the nation’s largest business lobbying group says the legislation would be both burdensome and ineffective.
Tom Quaadman, the executive vice president for the U.S. Chamber of Commerce, told senators that the SEC already has requirements on cybersecurity and overall risk management. Quaadman said requiring cybersecurity experts on boards would assign a critical responsibility to boards that more properly lies with management.
At minimum, the legislation would hand activist investors an easy way to attack companies, particularly those that chose to explain existing company cyber protections if they didn’t have a board member with cyber expertise. Considering the white-hot atmosphere surrounding cybersecurity, most companies would feel at least some pressure to comply, requiring the addition of a new board member in most cases – no small matter for a publicly traded company.
Framing the issue in military terms, Reed used his time at the corporate governance hearing to respond to the criticism that the legislation is burdensome, saying he isn’t trying to dictate the composition of publicly held boards. The senator said that too often chief security officers are unable to access CEOs and his bill would force companies to make online protections a top company priority.