What Is the Cybersecurity Disclosure Act of 2015 And Why Should Directors Care?
Directors bear a unique responsibility in the ecosystem of a company. It is our job to offer guidance and oversight at the same time. We must be supportive of management while looking out for the best interests of the shareholders. And now we should know the difference between malware and ransom ware and between a Trojan and a back door.
That's right… Directors should have a working knowledge of cybersecurity. In today's world of hacks, identity thefts, malicious damage and virtual graffiti having Directors with more than a casual familiarity of the subject matter is smart business, but it may also soon become the law.
The Cybersecurity Disclosure Act of 2015 (S.2410 of the 114th Congress) is a law proposed on December 15, 2015, which might affect your company and the way that you do business. If you are a publicly held company you must be aware of this pending law, but even if you are not you should still be aware of the reasoning and logic behind it; it would be wise to consider taking action even if you are not legally required to do so.
The law is summarized by the official website Congress.gov as "To promote transparency in the oversight of cybersecurity risks at publicly traded companies."
It's important to understand what this bill means, why it was proposed, whether or not it affects you and what to do about it if it does. The intention of this article is to answer those questions.
What does The Cybersecurity Disclosure Act of 2015 mean?
In short, this proposed law means that every publicly held company in the United States - and there are thousands - must specify in their public filings which member of their Board of Directors is their designated cybersecurity expert (the "DCE'). If the company does not have a DCE it must explain why it feels that it does not need one and, presumably, what measures it is taking to protect itself from cybercrime and cyberattacks.
(Note that every public company must have a Board of Directors although Boards can also be found in privately held companies at their option. The benefits of taking appropriate cybersecurity measures are no less pronounced for a private company than a public one.)
If passed, the Securities and Exchange Commission (SEC) will create and publish guidelines within 360 days of the filing outlining what publicly traded companies must publish in their annual reports in regards to Directors and DCEs expertise in cybersecurity threat prevention.
Who will be affected by this law?
This law is intended to create a mandate for public companies only. However, any company that must report to investors, its own employees or, perhaps most importantly, its customers, about the measures it takes to protect the company's finances, operations, data and reputation should consider this law as a guideline for what it should be providing.
What does my company have to do if affected by the Cybersecurity Disclosure Act of 2015?
If you are a publicly traded company (i.e., your company offers shares of stock on any stock exchange, including but not limited to the NYSE, NASDAQ, OTC or even the "pink sheets") you must have someone on your Board of Directors who has expertise and/or experience in cybersecurity. If no current Directors have such experience it will be incumbent upon the company to either add one to its Board or have one of its Directors become sufficiently experienced, trained – or possibly certified – in cybersecurity matters, threat prevention, fraud detection, identity management and other forms of cybercrime.
In short, if your Board does not have a Director who can be its DCE, get one.
“Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril,” said Luis A. Aguilar, commissioner at the US Securities and Exchange Commission (SEC), in June 2014.
What qualifies someone as having "expertise" or "experience" in cybersecurity?
The proposed law does not currently outline what classifies someone as an "expert" or having had "experience" in the subject matter. That said, it is reasonably safe to assume that individuals meeting the following criteria would qualify:
· Anyone certified as a CISSP (Certified Information Security Systems Professional) or higher by the International Information System Security Certification Consortium (ISC2).
· Someone with experience in running an organization or enterprise where they perform an active role in day-to-day management of cybercrime prevention activities.
· Someone with a patent on identity management, fraud detection, threat prevention or other cyber threat management software, processes or products.
· Someone recognized by others as an expert in the subject matter by virtue of authoring multiple articles, white papers or analyses or having been cited or quoted repeatedly by publicly recognized media regarding such matters.
Will the law pass?
Of course, it's impossible to tell until it comes up for a vote. Nonetheless, given the regular and growing exposure of cyber threats in public news sources, exposures of hacking, data theft, malicious damage, theft of personal information including social security numbers, credit card numbers, login IDs and passwords and medical information it is likely that the proposed law will have broad exposure and support.
If the law doesn't pass are we still at risk?
If the law doesn't pass you may not be in violation of a Federal law but you'd certainly be in violation of having common sense. Boards of Directors, collectively and individually, are at risk from cyberattacks even if the company doesn't maintain detailed customer information, credit card numbers or personal records. Imagine that the company on whose Board you sit is hacked – identities stolen, manufacturing lines brought to a halt by malicious mischief, records destroyed, competitive information revealed. Couldn't you as a Director be at some risk of legal action, losing your seat on the Board or other negative effects? It is becoming more clear every day that even without a law you need to protect your enterprise from hacking in order to protect yourself. Here are some recent examples of how problematic this has become:
Ethical Boardroom: Cybersecurity Risks: Laws and Trends
The Drum: Cybersecurity a "Board level issue"
At this point you might be thinking that your CIO or CTO will know everything there is to know about this topic and have faith, justifiably, that it's being handled properly. No doubt that they will know way more than even a Director educated in these matters will know, but that's not the point. It's their job to know all about it. It's the Board's responsibility to know enough about it to protect the company.
Scott Goldman is the CEO of TextPower, Inc., which provides personalized and bulk notifications via text messaging to utilities, municipalities, universities and enterprises. He is also an Independent Director on the Board of a $2B Fortune 1000 company. He started and maintains BeCyberAware.com and tweet @BeCyberAware in an effort to help C-level executives and Board Directors learn more about protecting themselves and recovering from cyberattacks. The opinions expressed in this article and in Mr. Goldman's social media accounts are his alone and are not endorsed by, nor do the express the positions of, companies with which he is associated.