By Mark S. Nelson, J.D.
A bill introduced by Rep. Jim McDermott (D-Wash) would bring the Sarbanes-Oxley Act into the world of modern technology by explicitly making cybersecurity a part of internal controls reporting. But the Cybersecurity Systems and Risks Reporting Act (H.R. 5069) stands in contrast to the less exacting disclosures that would be required by a bill introduced in the Senate last December. If enacted, either bill would add cybersecurity to the growing list of disclosures required by reporting companies.
Executive certifications. Enactment of SOX Section 302 squarely put the onus on executives to stand behind their companies’ financial reports by requiring CEOs and CFOs to certify these disclosures, including the effectiveness of internal controls, subject to hefty fines and imprisonment for knowing or willful violations of the certification requirement. Under the McDermott bill, the certification mandate would be extended to include a company’s principal cybersecurity systems officer or officers.
The McDermott bill also defines several key terms, including “information system” and “cybersecurity system.” According to the bill, “cybersecurity risk” means a significant vulnerability to, or deficiency in, the security and defense activities of a cybersecurity system.
Internal controls assessment. SOX Section 404 requires a company’s managers to state their responsibility for and their assessment of the effectiveness of the company’s internal controls. This requirement, subject to an exception for emerging growth companies and an exemption for smaller issuers, is buttressed by the accompanying registered public accountant’s attestation and report on the assessment made by the company’s managers.
The McDermott bill would revise managers’ duties to include cybersecurity systems structures and procedures for financial and information systems reporting. A public accountant that prepares or issues the audit report for a company likewise would have its duties regarding the attestation and report on managements’ assessment expanded to embrace cybersecurity system structure assessments.
Audit committee expert. The McDermott bill also would amend SOX Section 407, which defines “financial expert,” to require a company to disclose whether (and if not, the reasons why not) its audit committee has at least one member who is a cybersecurity systems expert. The relevant terms of art would be defined by the Commission in consultation with the Department of Homeland Security and the Commerce Department.
The Commission’s definition of “cybersecurity expert” must consider whether a person, through education or experience as an information technology or systems security officer, has: (1) an understanding of generally accepted principles of computer, network, and data security and privacy; (2) experience in preparing information systems audits for cybersecurity risk discovery and related experience in implementing and monitoring information and cybersecurity systems; (3) experience with the information systems aspect of internal accounting controls; and (4) an understanding of how audit committees function.
Enhanced disclosure reviews. The SEC’s staff already reviews Exchange Act reporting companies’ filings at least once every three years under SOX Section 408. This provision would be revised to add cybersecurity risks disclosures to the list of criteria the Commission must consider in scheduling these reviews. As a result, periodic reviews would include a review of a company’s financial statement and its information systems and cybersecurity systems statements.
Senate alternative. In contrast to the extensive disclosures and certifications that would be required by the McDermott bill, related Senate legislation would impose comparatively fewer obligations. Under the Cybersecurity Disclosure Act of 2015 (S. 2410), co-sponsored by Sens. Jack Reed (D-RI) and Susan Collins (R-Maine), the Commission would have to issue final rules within a year of enactment to require reporting companies to make cybersecurity disclosures in their annual report or annual proxy statement.
Specifically, the Reed-Collins bill would require a company to disclosure if any member of its board of directors has cybersecurity expertise or experience, and to fully describe that expertise or experience. In the case of a board with no member who has this expertise or experience, the company must state the cybersecurity steps considered by those persons who identify and vet board nominees. The proposed disclosures are similar to the McDermott bill’s audit committee expertise disclosure.
The Reed-Collins bill also requires the Commission to coordinate with another federal agency that has cybersecurity subject matter expertise. But unlike the McDermott bill, which requires consultation with the Department of Homeland Security and the Commerce Department, the Reed-Collins bill would have the Commission coordinate with the National Institute of Standards and Technology.