What Is the Cybersecurity Disclosure Act of 2015 And Why Should Directors Care? By Scott Goldman
The Cybersecurity Disclosure Act of 2015 (S.2410 of the 114th Congress) is a law proposed on December 15, 2015, which might affect your company and the way that you do business. If you are a publicly held company you must be aware of this pending law, but even if you are not you should still be aware of the reasoning and logic behind it; consider taking action even if you are not legally required to do so.
It is summarized by Congress.gov as "To promote transparency in the oversight of cybersecurity risks at publicly traded companies."
It's important to understand what this bill means, why it was proposed, whether or not it affects you and what to do about it if it does. The intention of this article is to answer those questions.
What does The Cybersecurity Disclosure Act of 2015 mean?
In short, this proposed law means that every publicly held company in the United States - and there are thousands - must specify in their public filings which member of their Board of Directors is their designated cybersecurity expert (which I am abbreviating from this point forward as the "DCE'). If the company does not have a DCE it must explain why it feels that it does not need one and, presumably, what measures it is taking to protect itself from cybercrime and cyberattacks.
Note that every public company must have such a Board although Boards can also be found in privately held companies at their option, unless they sell shares of the company to investors or internal employees, in which case a Board is mandatory.
If passed, the Securities and Exchange Commission (SEC) will create and publish guidelines within a year (360 days, specifically) for what publicly traded companies must publish in their annual reports in regards to cybersecurity threat prevention.
Who will be affected by this law?
This law is intended to create a mandate for public companies only. However, any company that must report to investors, its own employees or, perhaps most importantly, its customers, about the measures it takes to protect the company's finances, operations, data and reputation should consider this law as a guideline for what it should be providing.
What does my company have to do if affected by the Cybersecurity Disclosure Act of 2015?
If you are a publicly traded company (i.e., your company offers shares of stock on any stock exchange, including but not limited to the NYSE, NASDAQ, OTC or even the "pink sheets") you must have someone on your Board of Directors who has expertise and/or experience in cybersecurity. If no current Directors have such experience it will be incumbent upon the company to either add one to its Board or have one of its Directors become sufficiently experienced, trained – or possibly certified – in cybersecurity matters, threat prevention, fraud detection, identity management and other forms of cybercrime.
In short, if your Board does not have a Director who can be its DCE, get one.
“Boards that choose to ignore, or minimise, the importance of cybersecurity oversight responsibility, do so at their own peril,” said Luis A Aguilar, commissioner at the US Securities and Exchange Commission (SEC), in June 2014.
What qualifies someone as having "expertise" or "experience" in cybersecurity?
The proposed law does not currently outline what classifies someone as an "expert" or having had "experience" in the subject matter. It does state that:
"The SEC shall also, in coordination with the National Institute of Standards and Technology, define what constitutes expertise or experience in cybersecurity, such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats."
That said, it is reasonably safe to assume that the following individuals would qualify:
Anyone certified as a CISSP (Certified Information Security Systems Professional) by the International Information System Security Certification Consortium (ISC2) will qualify.
Someone with experience in running an organization or enterprise where they play an active role in day-to-day management of cybercrime prevention activities.
Someone with a patent on identity management, fraud detection, threat prevention or other cyber threat management software, processes or products.
Someone recognized by others as an expert in the subject matter by virtue of authoring multiple articles, white papers or analyses or having been cited or quoted repeatedly by publicly recognized media.
Will the law pass?
It's impossible to tell until it comes up for a vote. Nonetheless, given the regular and growing exposure of cyber threats in public news sources, exposures of hacking, data theft, malicious damage, theft of personal information including social security numbers, credit card numbers, login IDs and passwords and medical information it is likely that the proposed law will have broad exposure and support.
If the law doesn't pass are we still at risk?
Yes - in a big way. Boards of Directors, both collectively and individually, are at risk. You need to protect your enterprise from hacking in order to protect yourself. Here are some recent examples of how problematic this has become:
Ethical Boardroom: Cybersecurity Risks: Laws and Trends
The Drum: Cybersecurity a "Board level issue"
What if I need more information?
You are welcome to email me at CEO at BeCyberAware dot com (Note that I have taken security measures taken to avoid exposing my full email address to spambots that skim blog posts for email addresses; you should learn to use this tip and many others that I will post to help you #BeCyberAware!).
Scott Goldman is the co-founder and CEO of TextPower, Inc., which provides personalized and bulk notifications via text messaging to utilities, municipalities, universities and enterprises. He is also an Independent Director on the Board of a $2B Fortune 1000 company and has a long track record of wireless, Internet and cybersecurity "firsts" and successes. He is the designated cybersecurity expert for the world's leading website for Board Directors and prospects, BoardProspects.com and posts articles, tips and news updates regularly at BeCyberAware.com and @BeCyberAware in an effort to help C-level executives and Board Directors learn more about cybersecurity and to protect themselves and recover from cyberattacks.