Cybersecurity Disclosure Act of 2017 Forces Cybersecurity Responsibility Into the Boardroom
The need for board-level responsibility for cyber security is generally accepted but not always applied. A new bill introduced to the Senate seeks to change this by requiring a board level statement of cyber security expertise or practice in annual SEC filings.
S536, cited as the 'Cybersecurity Disclosure Act of 2017', is sponsored by Democrats Mark Warner of Virginia and Jack Reed of Rhode Island, and Republican Susan Collins of Maine. Its purpose is to promote transparency in the oversight of cybersecurity risks at publicly traded companies.
The bill (PDF) defines a cyber security threat as any action not protected by the First Amendment that "may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system..."
The bill then proposes just three requirements under the aegis of the Securities and Exchange Commission (SEC): that annual reports to the SEC must disclose the level of cyber security expertise of the board; or, if none exists, what "other cybersecurity steps taken by the reporting company were taken into account"; and that the definition of what constitutes that expertise should come from the SEC in consultation with NIST.
"It is in the best interest of consumers and shareholders for companies to fully disclose the plans they've set in place to defend against [data breaches]," Warner said in a statement announcing the legislation. "This legislation provides needed transparency in an often-shrouded process that directly affects the privacy of millions, and will serve as tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks."
The effect of the bill will be to make the board legally and transparently responsible for cyber security. It is not the first regulation to seek this effect in 2017. On 1 March, the New York Department of Financial Services' 23 NYCRR 500 regulation came into force. That regulation imposes a responsibility for regulated organizations to name a 'CISO' who will provide an annual cyber security report to be submitted and signed off by the board to the regulator.
Taken together, these two examples of new regulations suggest that regulatory authorities are no longer satisfied to make recommendations about board-level security responsibility, but are now ready to mandate and legally require it.
The implication is that it is no longer sufficient that organizations should have security in the board, it will increasingly become a legal requirement.