It is not news that cybersecurity is a serious corporate and domestic security concern. But despite continuing revelations of high-profile data breaches, cybersecurity is an area (OK, one of the many areas) where Congress has been slow to act. While there is still as yet no comprehensive Congressional attempt to tackle cybersecurity as an issue and as a phenomenon, two U.S. senators have now introduced a bipartisan bill that would require publicly traded companies to disclose the cybersecurity expertise or experience that is represented on its board of directors or to disclose what other steps the company has taken to identify or evaluate nominees for this board level cybersecurity position.
On December 17, 2015, Sen. Jack Reed, a Democrat from Rhode Island, and Sen. Susan Collins, a Republican from Maine, introduced the Cybersecurity Disclosure Act of 2015, the text of which can be found here. According to the senators’ joint December 17, 2015 press release (here), the bill seeks to “strengthen and prioritize cybersecurity at publicly traded companies by encouraging the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at these companies.” The bill, according to the press release, asks each publicly traded company to include in its SEC disclosures to investors “information on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the publicly traded company.”
The legislation requires the SEC, in conjunction with the National Institute of Standards and Technology to define what constitutes “expertise and experience in cybersecurity, such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating or addressing cybersecurity threats.” The proposed legislation does not actually require public companies to take any steps other than to provide the required disclosure.
The proposed bill has been referred to the Senate Committee on Banking, Housing, and Urban Affairs, for further review and consideration.
The senators’ press release includes remarks from several commentators and authorities who support their bipartisan bill. For example, the press release quotes Harvard Law Professor John Coates as saying that the proposed bill’s “provides a light touch ‘disclose or comply’ approach, preserving flexibility for companies to respond to cyber threats in a tailored and cost-effective way.” The press release also quotes Columbia Law School Professor John Coffee as supporting the bill as a “moderate and reasonable ‘regulatory nudge’ that pushes public companies to give greater attention to cybersecurity issues with out mandating an inflexible board structure or insisting that ‘one size fits all.’”
Though the bill is only still at the committee stage, it has already drawn its share of criticism. For example, a December 2015 memo entitled “Proposed Cybersecurity Disclosure Act Shows Deep Misunderstanding of the Role of the Board of Directors” (here) from the Jones Day law firm calls the bill’s approach “misguided,” and says that it reflects “a fundamental lack of understanding of the role of directors.” In particular, the memo notes that “any number of experts would likely enhance the quality of a particular board of directors, but a one-size-fits-all approach is imprudent, reflects a misunderstanding of the role of the board of directors, and does not address the fundamental issue at hand – the need for companies to allocate the necessary attention and resources to cybersecurity risks.”
From my perspective, the bill generally takes the right approach but simply has the incorrect focus. I agree with the comments in support of the bill that the best approach to imposing cybersecurity controls on publicly traded companies is a “comply or disclose” approach. However, I also agree with the Jones Day law firm’s memo that encouraging public companies to change the composition of their board of directors represents misdirected pressure on public companies to alter their board composition, when any given company’s operational situation may well require the company to prefer board candidates with other types of skills or expertise.
Congress has already gone a long way in dictating board composition (for example by instituting requirements regarding independence and financial expertise). While the theoretical merits of any one of these board composition requirements taken in isolation is hard to assail, the cumulative impact could be that companies wind up with boards that do not reflect the needs and circumstances that the company is facing.
From my perspective, a better approach, rather than focusing disclosure requirements on board composition, would be to sharpen and emphasize disclosure around the actual cybersecurity steps the company is taking – – that is, what personnel has the company deployed on the issue, what resources has the company deployed to address the concern, what measures has the company taken to bolster its cybersecurity. As the Jones Day memo points out, the SEC has already issues guidance specifying that companies must disclose material cybersecurity risks and incidents to investors. If Congress thinks these cybersecurity disclosure requirements are insufficient, then the correct approach is to sharpen the disclosure focus on these cybersecurity remedial measures, not putting pressure on corporate boards to further alter their composition, when that may not be the best approach to address these concerns for many companies. Of even greater concern, requiring board members to fulfill Congressionally mandated requirements is not the best formula to ensure that reporting companies are best equipped to compete in the global economy.
As the Cooley law firm points out in its January 4, 2016 memo about the proposed legislation (here), the likelihood that the legislation will actually be enacted into law is “highly uncertain.” However, even if the bill does not become law, “its introduction may still raise shareholder awareness about the need for Board members to better understand and address cybersecurity threats.” In that respect, if the proposed bill is meant to serve as a consciousness-raising exercise, then the attention is may receive is worthy and should be supported. The possibility that the bill’s approach might actually be enacted into law arguably is well-intentioned but perhaps not the best way to accomplish the bill’s goals.