Senators Focus on Board Cyber Skills in Disclosure Bill

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Michael Greene

Public companies could be required to disclose whether they have board members with cybersecurity expertise under bipartisan legislation introduced by three U.S. senators.

The Cybersecurity Disclosure Act of 2017 (S. 536), introduced March 7 by Sens. Mark Warner (D-Va.), Jack Reed (D-R.I.), and Susan Collins (R-Maine), also would require companies that don’t have a cybersecurity expert on their boards to explain in financial filings why they considered the expertise unnecessary.

“Cybersecurity is one of the most significant and enduring challenges that all businesses, across industries, face and should be accounted for as part of the corporate risk management process,” Reed said in a release March 9. “Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight.”

National Association of Corporate Directors President Peter Gleason told Bloomberg BNA that his organization applauds the fact that lawmakers are focusing on cybersecurity. However, he questioned what would constitute “expertise” under the proposal.

The NACD is hesitant to support a bill that doesn’t clearly delineate that term, Gleason said. “Until we know what qualifies as an expert and what are the parameters around that, I don’t see this as a panacea in solving the cybersecurity issues.”

The proposed legislation is identical to one introduced by Reed and Collins in 2015, which didn’t make it out of committee. The bill wouldn’t require companies to take any action other than to provide the disclosures.

`First-Order Risk.’

In his statement on the bill, Reed cited a November 2016 NACD study finding that almost 60 percent of board members find it challenging to oversee cyber risk.

In one recent high-profile incident showing that cybsecurity can have serious bottom-line implications, Verizon Communications Inc. took a $350 million discount on its purchase of Yahoo Inc. based on the massive data breaches disclosed by the internet company last year.

Harvard Law professor John Coates told Bloomberg BNA that the proposal reinforces “what better-governed boards of directors already understand.”

Cybersecurity is a “first-order risk” in many industries, and institutional investors are evaluating public companies on how well they communicate their strategies for building their expertise and resilience against cyberattacks, said Coates, who teaches corporate and securities law.

To contact the reporter on this story: Michael Greene in Washington at mGreene@bna.com

To contact the editor responsible for this story: Yin Wilczek at ywilczek@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.