The Cybersecurity Disclosure Act of 2015 sponsored by Senators Jack Reed (D-RI) and Susan Collins (R-ME) on December 17 is similar in concept to the audit committee financial expert provision under the Sarbanes-Oxley Act.
Under the bill, the SEC must enact rules requiring all reporting companies to disclose whether any board member has expertise or experience in cybersecurity and the nature of that expertise or experience. If no director qualifies, then the company must describe “what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.”
While this latter provision is awkwardly drafted, according to Senator Reed’s introduction of the bill, the intent is to have those companies that do not have cybersecurity expertise on their boards describe why they find it unnecessary because of other cybersecurity steps taken by the company. The senator quoted an NACD survey of directors where only 11% of directors indicated that they believed there was sufficient understanding of cybersecurity risks at the board level.
If the bill is enacted, which may be unlikely given the number of bills that are introduced, the key will be how expertise is defined. The Commission is charged with defining what constitutes cybersecurity security or experience, in coordination with the National Institute of Standards and Technology. The bill already contains a fairly specific characterization, which includes “professional qualifications to administer information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats.” The bill further defines both “cybersecurity threat” and “information system.”