Reed, Collins Seek to Prioritize Cybersecurity at Public Companies Through SEC Disclosures
WASHINGTON, DC – In an effort to increase transparency for investors and consumers in an age of persistent cybersecurity threats, U.S. Senators Jack Reed (D-RI) and Susan Collins (R-ME) today introduced the bipartisan Cybersecurity Disclosure Act of 2015. The bill seeks to strengthen and prioritize cybersecurity at publicly traded companies by encouraging the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at these companies.
In response to recent data breaches at various companies, which exposed the personal information of millions of customers, the Reed-Collins legislation asks each publicly traded company to include in its Securities and Exchange Commission (SEC) disclosures to investors information on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the publicly traded company. The legislation does not require companies to take any actions other than to provide this disclosure.
Cyberattacks on large companies skyrocketed 44% last year over 2013 levels, and cybercrime costs businesses more than $400 billion a year, according to Lloyd's of London.
“Cybersecurity is one of the most significant and enduring challenges businesses face and should be accounted for as part of the corporate risk management process. Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight,” said Senator Reed, a senior member of the Senate Banking Committee. “This legislation will highlight how focused firms are in terms of data security and safeguarding private information and should encourage more companies to improve their cybergovernance.”
“For decades the SEC has had the mandate to make sure investors and shareholders have similar information as insiders. Unfortunately, the annual disclosures made by publicly traded companies have not kept pace with the pace of technological innovation. Our bill fixes that by making sure that firms provide a basic amount of information about the degree to which a firm is protecting the economic and financial interests of the firm from cyber attacks,” said Senator Collins, a member of the Senate Select Committee on Intelligence.
According to the National Association of Corporate Directors, just 11% of public-company boards questioned this year reported a high-level understanding of cybersecurity. According to the Los Angeles Times, a review by the New York Stock Exchange and security firm Veracode found that two-thirds of board members questioned think their companies are ill-prepared for a cyberattack. An analysis by PricewaterhouseCoopers found that 30% of boards surveyed never talk about cybersecurity at all.
Board directors who participated in National Association of Corporate Directors roundtable discussions on cybersecurity late in 2013 admitted that the lack of adequate knowledge has made it challenging for them to “effectively oversee management’s cybersecurity activities.” Participating board members also suggested that “without sound knowledge of—or adequate sensitivity to—the topic, directors cannot easily draw the line between oversight and management,” and that once in the technical “weeds,” directors “find it difficult to assess the appropriate level of [the board’s] involvement in risk management.”
The bipartisan Reed-Collins Cybersecurity Disclosure Act of 2015 is supported by consumer advocates and securities law experts, including the Consumer Federation of America; Harvard University School of Law Professor John Coates; Columbia University School of Law Professor John Coffee; and former International Monetary Fund Chief Economist and Massachusetts Institute of Technology Professor Simon Johnson.
Support for the Reed-Collins Cybersecurity Disclosure Act of 2015:
“The Cybersecurity Disclosure Act of 2015 would encourage corporate boards to take responsibility for cybersecurity seriously and ensure that they have the expertise needed to identify risks and implement strong defenses against hackers and other threats,” said Susan Grant, Director of Consumer Protection and Privacy at Consumer Protection of America. “Customers and investors will have more information about how companies deal with cybersecurity issues and more confidence in the safety of the sensitive data that they hold.”
“The Bipartisan Policy Center appreciates Senator Reed and Senator Collin’s bipartisan efforts to address cybersecurity challenges as they relate to issues involving publicly traded companies, which is an important topic of growing concern. We look forward to working with Senator Reed, Senator Collins, and their colleagues to highlight this issue and would welcome the opportunity to facilitate further discussion about this bipartisan proposal,” said Aaron Klein, Director of Financial Regulatory Reform at the Bipartisan Policy Center.
“The bill would encourage boards to be take direct responsibility for cybersecurity through a light touch ‘comply or disclose’ approach, preserving flexibility for companies to respond to cyber threats in a tailored and cost-effective way,” said Harvard University School of Law Professor John Coates.
"In my judgment, the Reed-Collins Bill on cybersecurity amounts to a moderate, and reasonable ‘regulatory nudge’ that pushes public companies to give greater attention to cybersecurity issues without mandating an inflexible board structure or insisting that ‘one size fits all.’ This will help spur action, but still permit diverse approaches to a developing problem,” said Columbia University School of Law Professor John Coffee.
“This important legislation will require companies to disclose their board level expertise in cyber security. It is entirely appropriate for investors to know the extent to which a company gives top priority to protecting the data that it holds. This disclosure will also enable customers to potentially assess the risks of doing business with particular firms,” said Simon Johnson, Professor at the MIT Sloan School of Management