Two senators want to make corporations reveal how much their leaders know about cybersecurity.
The Cybersecurity Disclosure Act, from Sens. Susan Collins (R-Maine) and Jack Reed (D-R.I.), would require companies to detail the cyber expertise of their top officers, including boards of directors and general partners.
If passed, the bill would direct the Securities and Exchange Commission to issue rules requiring public companies to report their top employees' cybersecurity knowledge in their annual SEC filings.
Such reporting would include “whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience.”
If no one in these positions at a company has cybersecurity knowledge, that company would have to explain how its cybersecurity posture factored into decisions about board member selection.
“What we’re trying to do is have public companies recognize the need to have a cyber expert on their board or accessible to their board,” Reed told the Hill.
No one would dispute the need for companies to improve their cyberdefenses across the board, but it's unclear whether requiring SEC-defined "experience in cybersecurity" at the board level will bring about security improvements.
Dave Weinstein, New Jersey's first cybersecurity adviser, said he worried that the bill would become “another exercise in checking boxes at the board level when it comes to cybersecurity while exerting artificial regulatory pressures.”
“I think board emphasis is really important but... Congress is naive when it comes to standards for expertise or even experience,” Weinstein said in an interview conducted via Twitter direct message. “We should leave it up to companies to differentiate themselves voluntarily by implementing different levels of board focus.”
Weinstein said that he supported new legislation to bolster cybersecurity but urged Congress to focus on transparency instead of corporate leadership structure. He suggested that Congress require the disclosure of more information about data breaches, which have grown more destructive in the last few years.
“It's ironic to me that Congress is so uninformed about this subject,” Weinstein said, “yet they want to mandate controls on companies around experience and expertise, whether it's at the board or IT level.”
Congress began paying close attention to cybersecurity after last spring's Office of Personnel Management data breach. Lawmakers pushed through a controversial bill to encourage companies to share cyber threat data with the government, and one of the bill's lead authors promised to hold regular hearings to monitor its implementation.