In an effort to better protect customers, increase transparency for investors and ensure public companies are prioritizing cybersecurity and data privacy, Senators Jack Reed (D-RI), Susan Collins (R-ME) and Mark Warner (D-VA) have introduced the bipartisan Cybersecurity Disclosure Act of 2017 (S 536), a bill which would require companies to disclose whether any members of their corporate boards have cybersecurity expertise — similar to existing financial expert disclosures — but does not require cyber expertise, only disclosure.
The intent of the legislation is to promote transparency in the oversight of cybersecurity risks at publicly traded companies.
“The legislation would require publicly traded companies to include in its Securities and Exchange Commission (SEC) disclosures to investors information on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the company. The legislation does not require companies to take any actions other than to provide this disclosure,” said the announcement of the bill.
The bill’s sponsors’ noted that, “Cyberattacks on companies and business continue to increase in their frequency and sophistication. Indeed, 2016 was another record-breaking year for data breaches, which increased 40 percent from the prior yearto 1,093 breaches according to the Identity Theft Resource Center. For 2017, as of March 21, there were 353 breaches with 1,306,951 records exposed.
According to a new Deloitte survey of risk managers at financial institutions, only 42 percent of respondents considered their institution to be effective in managing cybersecurity risk.
With regard to increasing oversight by boards of directors, the latest survey said, "Eighty-six percent of respondents said their board of directors is devoting more time to the oversight of risk management than it did two years ago, including 44 percent who said it is devoting considerably more time. The most common risk management responsibilities of boards of directors are review and approve overall risk management policy and/or Enterprise Risk Management framework (93 percent); monitor risk appetite utilization including financial and nonfinancial risk (89 percent); assess capital adequacy (89 percent); and monitor new and emerging risks (81 percent). However, there is more work to do in instilling a risk culture, where no more than roughly two-thirds of respondents cited as board responsibilities help establish and embed the risk culture of the enterprise (67 percent), or review incentive compensation plans to consider alignment of risks with rewards (55 percent).”
And, according to the 2016-2017 National Association of Corporate Directors (NACD) Public Company Governance Survey, “Fifty-nine percent of respondents reported that they find it challenging to oversee cyber risk, and only 19 percent of respondents said that their boards possess a high level of knowledge about cybersecurity.”
“Cybersecurity is one of the most significant and enduring challenges that all businesses, across industries, face and should be accounted for as part of the corporate risk management process. Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight,” said Reed, a senior member of the Senate Committee on Banking. “This legislation will highlight how focused firms are in terms of data security and safeguarding private information and should encourage more companies to improve their cyber governance. Through simple disclosure, we can strengthen cybersecurity oversight.”
“As cyber-attacks become increasingly common, Congress must take action to better protect Americans from hackers attempting to steal sensitive data and personal information,” said Collins, a member of the Senate Select Committee on Intelligence. “Our bill would make sure companies disclose to the public the basic steps they are taking to protect their businesses from cyber attacks.”
Warner, a member of the Banking Committee, added, “All public companies face threats daily from determined cyber attackers out to steal their data. As we’ve seen with data breaches at retailers like Target and service providers like Yahoo, it is in the best interest of consumers and shareholders for companies to fully disclose the plans they’ve set in place to defend against them. This legislation provides needed transparency in an often shrouded process that directly affects the privacy of millions, and will serve as tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks.”
The bipartisan Cybersecurity Disclosure Act of 2017 is supported by consumer advocates and securities law experts, including the Consumer Federation of America; Harvard University School of Law Professor John Coates; Columbia University School of Law Professor John Coffee; and former International Monetary Fund Chief Economist and Massachusetts Institute of Technology Professor Simon Johnson.
“The board of directors is responsible for establishing the direction, culture and guardrails for the enterprise. Even more critical, they are responsible for ensuring the enterprise is moving in the right direction and staying within those established boundaries. As such, the board is the body that must establish the right culture, metrics and guidance for senior executives to properly manage cyber risk to their level of tolerance,” Bay Dynamics VP of Strategy and Enablement Steven Grossman told Homeland Security Today.
Grossman said, “Many boards have been caught without the right expertise to properly understand their companies’ cyber risk complexities, and have not done an effective job of measuring and managing their company’s exposure. The proposed Cybersecurity Disclosure Act of 2017 is so important because it mandates that public companies provide transparency into their level of cyber expertise, and in the absence of such expertise, what mitigating steps they are taking to protect the enterprise. It is a positive step in bridging the communication gap between cybersecurity professionals and board members, and will drive public companies to take the appropriate measures.”
“Equally important in closing that communication gap is the ability for security professionals to communicate to the board in a meaningful, consistent, business centric language,” Grossman told Homeland Security Today. He said his company “and the third party research firm, Osterman Research, published a series of reports that cover this issue. The reports revealed more than half (54 percent) of board members agree or strongly agree that the cybersecurity data presented by security professionals is too technical. On the other side, only one third of IT and security executives believe the board comprehends the cybersecurity information provided to them, and 40 percent of IT and security executives believe the information they provide to the board is actionable. Some of these results can be explained by the lack of expertise present on many boards, with only one in six board members claiming substantial expertise in understanding the nuances and implications of cybersecurity issues, and 60 percent of board members saying that one or more member should be a CISO or some other type of cybersecurity expert. However, for both parties to work together to effectively manage cyber risk and protect the organization’s crowned jewels, they need to be able to communicate.”
Grossman concluded, saying, “Cybersecurity is increasingly transitioning from a technical to a risk management issue that is in line with other operational risks. Boards are more involved in cybersecurity than ever before, and are holding security leaders accountable for presenting understandable, traceable and actionable information. The Cybersecurity Disclosure Act of 2017 is a great step towards ensuring alignment between those responsible for protecting public companies, their customers and shareholders.”
Similarly, last November, Kim L. Jones, a 30-year intelligence, security and risk management professional and a former Chief Security Officer, wrote, “Over the past three weeks I’ve had occasion to attend three separate events all focusing on cybersecurity and the Board of Directors. Two events were multi-day events; the third was a webinar. The target audiences for these events varied from current board members to future CISOs. Several themes emerged from those events that are worth sharing.”
“It’s an understanding barrier, not a language barrier,” he said, pointing out that, “Over the past decade, security professionals have been encouraged to speak ‘the language of the business.’ After attending these events, I have become more convinced that it’snot the presence of a common language, but an erroneous assumption of understanding that is impeding communications."
"When a security professional says things like ‘malware,’ ‘darknet’ and ‘distributed denial of service attack,’ we believe that there is at least a rudimentary understanding of the term. Not the technical aspects, mind you, but at least the basics of what the term means regarding impact to the business," Jones wrote. But, "This is not the case. In one of the events that was geared toward board members, the security presenter spent the bulk of the time explaining the difference between a phishing attack and a DDoS attack. The executives present – all of whom sit on boards of directors – were extremely grateful to the very rudimentary explanation — terms most teenagers know today, [but which] are so foreign to most Board of Directors members that it is almost impossible for them to see the linkages between these threats, the existing risks and the proposed actions. One board member for a well-known restaurant chain put it this way: ‘I know more about cuts of meat and purchasing produce that I ever thought I would know at 40. My five year old probably understands more about cyber than I do, though.’"
"Security professionals would be well served to find ways to provide rudimentary education to their board members and their executives prior to risk decisions being made," Jones said.
The proposed Cybersecurity Disclosure Act of 2017 would require that, “Not later than 360 days after the date of enactment of this Act, the [SEC] shall issue final rules to require each reporting company, in the annual report submitted under section 13 or section 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m and 78o(d)) or the annual proxy statement submitted under section 14(a) of such Act (15 U.S.C. 78n(a), “to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity, and in such detail as necessary, to fully describe the nature of the expertise or experience; and if no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.”
With regard to cybersecurity expertise or experience, “For purposes of subsection (b), the [SEC], in consultation with [the National Institute of Standards and Technology [NIST], shall define what constitutes expertise or experience in cybersecurity, such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating or addressing cybersecurity threats, using commonly defined roles, specialities, knowledge, skills and abilities, such as those provided in NIST Special Publication 800–181, NICE Cybersecurity Workforce Framework, or any successor thereto.”
According to the Bay Dynamics and Osterman Research study of boards of directors:
- 40 percent of IT and security executives believe the information they provide to the board is actionable; and
- Only one third of IT and security executives believe the board comprehends the cybersecurity information provided to them.