Tuesday, December 22, 2015

Why Doesn’t Your Board Have a Cybersecurity Expert?

By Matthew Garza, J.D.

Senators Jack Reed (D-RI) and Susan Collins (R-ME) have introduced a bill that would force publicly traded companies to disclose whether any member of their board of directors is a cybersecurity expert, and if not, why having such expertise on the board is unnecessary. Requiring companies to disclose this information to investors is one step legislators can take to counter a lack of capability on the part of current corporate directors, said Senator Reed in a statement introducing S. 2410.

Board shortcomings. The Senator said that directors who participated in the National Association of Corporate Directors roundtable on cybersecurity in late 2013 admitted that they have a hard time effectively overseeing management’s cybersecurity activities because of a lack of adequate knowledge of information technology. Reed said that investors deserve a clear picture of companies’ prioritization of cybersecurity, and their ability to protect investors and customers from cyberattacks.

“Cybersecurity is one of the most significant and enduring challenges businesses face and should be accounted for as part of the corporate risk management process. Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight,” said Senator Reed.

Senator Collins pointed out that annual disclosures made by public companies on this topic have not kept pace with technological innovation. The bill seeks to fix this by mandating a basic amount of information about the degree to which a firm is protecting the economic and financial interests of the firm from cyberattacks, she said

A matter of national security. His experience as ranking member of the Senate Armed Services Committee, in addition to his role on the Banking Committee, brought the importance of this matter to his attention, Reed said. Service on both of these committees caused him to believe that the economic security of the U.S. is a matter of U.S. national security, especially considering how our economy is becoming increasingly reliant on technology and the internet. He referenced a statement by Director of National Intelligence James Clapper at a recent appearance before the Armed Services Committee noting that the uptick in the frequency and severity of cyberattacks means that nearly all information communication technologies and I.T. networks will be “perpetually at risk.”