Cybersecurity and Data Privacy: New Cybersecurity Bill Introduced in Senate Would Effectively Force Public Companies to Address Cybersecurity Through SEC Disclosures

January 3, 2016

By: Clifford G. Tsan, Michael D. Billok, and Matthew N. Wells

In response to the increase of cybersecurity attacks and data breaches in recent years, some companies have begun to recruit cybersecurity experts to their board of directors. On December 17, 2015, U.S. Senators Jack Reed (D-RI) and Susan Collins (R-ME) introduced the bipartisan Cybersecurity Disclosure Act of 2015, purportedly as an attempt to prioritize cybersecurity issues at publicly traded companies. The bill would require publicly traded companies to disclose, through their Securities and Exchange Commission (SEC) filings, whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board is unnecessary. This disclosure is the only required action a public company would be required to take under the proposed legislation. The Bill also requires that the SEC, working with the National Institute of Standards and Technology, define clearer guidelines on what constitutes cybersecurity expertise or experience.

Sen. Reed stated that the impetus for this bill was that "[i]nvestors and customers deserve a clear understanding of whether publicly traded companies are not only prioritizing cybersecurity, but also have the capacity to protect investors and customers from cyber related attacks." In a press release issued by Sen. Reed, it was noted the National Association of Corporate Directors estimates that just 11% of publicly traded companies reported a high-level understanding of cybersecurity. The Cybersecurity Disclosure Act of 2015, therefore, seeks to encourage corporate boards to ensure that they have the expertise needed to identify cybersecurity risks and implement strong defenses.

Additionally, President Obama recently signed into law an omnibus spending bill which included the controversial Cybersecurity Information Sharing Act of 2015 (CISA) that was passed by the U.S. Senate on October 27, 2015, as described in a previous Bond Informational Memo. The Cybersecurity Disclosure Act of 2015 exemplifies another attempt to curtail the incessant cyber-attacks against public companies.

For more information, please contact Clifford G. Tsan or Michael D. Billock (Co-Chairs of Bond’s Cybersecurity and Data Privacy Group), Matthew N. Wells or Franz M. Wright.

Clifford G. Tsan

Michael D. Billok

Matthew N. Wells