Two members of Congress think the public has a right to know if companies have cybersecurity expertise at the top.
Sens. Susan Collins (R-Maine) and Jack Reed (D-R.I.) are backing a bill, known as the -Cybersecurity Disclosure Act, that would require public companies to tell the federal government whether their boards include someone with knowledge of network security.
{mosads}The legislation is part of a broader push across the federal government to get businesses to release more information about the cyber threats they face and the digital defenses they are using against them.
For the past few years, the Securities and Exchange Commission (SEC) has been raising its expectations for what cybersecurity details companies must disclose in public filings.
The issue has taken on new urgency after a slew of cases where hackers ravaged the digital defenses of businesses that control people’s credit card information, health insurance data and financial records, not to mention companies that control the power grid and water system.
“More and more companies are being subject to computer breaches, and I believe that they need to strengthen their defenses,” Collins told The Hill. “This is particularly true when it comes to critical infrastructure that powers our economy.”
The broad regulatory effort has been met with some resistance in the business community. Companies are concerned about revealing their flaws to hackers and opening themselves up to lawsuits.
But many say the measures are necessary to help protect the country from increasingly sophisticated crime syndicates and hackers looking to cause destruction.
The Collins-Reed bill is intended to inject cybersecurity into businesses through a top-down approach.
The measure would require publicly traded companies to disclose to the SEC whether any member of the board of directors is a cybersecurity expert. If there are no experts, the company would have to explain what alternate steps it is taking to protect its systems from cyberattacks.
“What we’re trying to do is have public companies recognize the need to have a cyber expert on their board or accessible to their board,” Reed told The Hill.
Numerous studies have shown that the vast majority of companies do not have any cyber expertise on their board. Most don’t even talk to the senior information technology offices within their companies.
A 2015 Ponemon Institute survey of over 1,000 chief information officers and senior IT officials found that 78 percent had not briefed their board of directors within the last 12 months.
For Collins, the measure is just her latest attempt to pressure critical infrastructure sectors — such as banking, finance, energy and telecommunications — into prioritizing cybersecurity.
The Maine Republican championed an amendment that was nearly approved as part of the major cybersecurity bill signed into law in December. The amendment would have mandated that a handful of critical infrastructure companies report threat information to the government.
The overall legislation that was passed provides incentives for businesses to share information on hacking threats with the government, but on a voluntary basis.
“Since I’ve been unsuccessful in requiring mandatory reporting by critical infrastructure when they have a serious breach that could cause the loss of thousands of lives and huge economic damage, this is a way to at least disclose to shareholders if a company does not have any expertise in cybersecurity on its board or among its officers,” she said.
Although the Collins-Reed bill would not require a significant shift in corporate boardrooms, it would create pressure on them, said Amjed Saffarini, CEO of CyberVisa, which offers companies cybersecurity training.
“They’re asking the company to do a relatively minor but potentially very impactful thing to mitigating their cybersecurity risks,” he said.
“It’s a very good thing that they’re starting at the top,” Saffarini added. “That culture really permeates through the rest of the organization.”
Several observers said they do not expect the measure to move soon but noted the bill mirrors a larger trend at the SEC. Starting in 2015, the agency began naming cybersecurity a top priority for its investigations.
In the SEC’s recently issued 2016 priorities, the agency indicated it would expect even more details from companies on their cybersecurity vulnerabilities.
“A huge ramp up” is how the move was described by Norma Krayem, a lobbyist who has represented numerous critical infrastructure firms and co-chairs the data protection and cybersecurity division at law firm Holland & Knight.
The heightened scrutiny is prompting many businesses to bolster their digital defenses, said Kim Phan, a Ballard Spahr attorney who advises companies on their SEC filings.
“It’s the way all market forces work,” she said.
Although the average consumer is not looking at SEC filings, many shareholders are, which can drive stock prices and get the public’s attention.
Reed said he supports the SEC’s increased attention to the topic but wants his bill to push the agency further.
“I think the SEC has taken some steps and I applaud them for doing that, but [this bill] makes it very clear, less arguable,” he said.
Ultimately, several specialists said the SEC suggestions could gradually become the requirements that Collins and Reed are seeking.
“We’re slowly walking our way down that lane,” Krayem said.