WASHINGTON, DC – In an effort to better protect customers, increase transparency for investors, and ensure public companies are prioritizing cybersecurity and data privacy, U.S. Senators Jack Reed (D-RI), Susan Collins (R-ME), Mark Warner (D-VA), John Kennedy (R-LA), and Doug Jones (D-AL) are introducing S. 592, the Cybersecurity Disclosure Act of 2019. Congressman Jim Himes (D-CT), who serves on the House Financial Services Committee and the House Permanent Select Committee on Intelligence, will be introducing the companion legislation in the House of Representatives.
The Reed-Collins-Warner-Kennedy-Jones legislation would require publicly traded companies to include in its Securities and Exchange Commission (SEC) disclosures to investors information on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the company. The legislation does not require companies to take any actions other than to provide this disclosure.
Cyberattacks on companies and business continue to increase in their sophistication, exposing customers and data to risk. Indeed, according to the Identity Theft Resource Center, the number of records, containing personally identifiable information, exposed by data breaches in the business industry grew from 181,630,520 in 2017 to 415,233,143 in 2018, and in the medical and health care industry from 5,302,846 in 2017 to 9,927,798 last year. Across all industries, the number of records containing personally identifiable information exposed by data breaches rose 126%, from 197,612,748 in 2017 to 446,515,334 in 2018.
Deloitte’s 11th Global risk management survey of financial institutions found that “sixty-seven percent of respondents named cybersecurity as one of the three risks that would increase the most in importance for their business over the next two years, far more than for any other risk. Yet, only about one-half of the respondents felt their institutions were extremely or very effective in managing this risk.” And according to the 2018-2019 National Association of Corporate Directors Public Company Governance Survey, only 52 percent of directors “are confident that they sufficiently understand cyber risks to provide effective cyber-risk oversight,” and 58 percent “believe their boards collectively know enough about cyber risk to provide effective oversight.”
“Cybersecurity is one of the most significant and enduring challenges that all businesses, across industries, face and should be accounted for as part of the corporate risk management process. With growing cyber threats, we must be proactive in bolstering our nation’s cybersecurity. This legislation advances that goal by encouraging publicly traded companies to be more transparent about whether and how their Boards of Directors and senior management are prioritizing cybersecurity,” said Senator Reed, the Ranking Member of the Senate Armed Services Committee and a senior member of the Senate Banking Committee. “As our economy becomes ever more dependent on technology and the Internet, our economic security is indeed a matter of national security. Through the simple disclosure called for by this bipartisan legislation, we can strengthen cybersecurity oversight.”
“As cyberattacks become increasingly common, Congress must take action to better protect Americans from hackers attempting to steal sensitive data and personal information,” said Senator Collins, a member of the Senate Intelligence Committee. “This bipartisan bill strengthens our nation’s cybersecurity by requiring companies to disclose to the public the basic steps they are taking to prevent cyberattacks.”
“Every day, determined cyberattackers target publicly traded companies in attempts to steal data. When successful, these attacks can be extremely damaging, which is why consumers and shareholders deserve to know whether companies’ boards have cyber expertise,” said Senator Warner, Vice Chairman of the Senate Select Committee on Intelligence and Ranking Member of the Senate Banking Subcommittee on National Security and International Trade and Finance. “This legislation will help inform consumers and shareholders by increasing transparency, and will serve as a tool to urge more reliable strategies to counter cyberattacks.”
“As our society increasingly relies on technology, businesses across all sectors of the economy must prioritize cybersecurity. A single cyberattack can cripple even the most sophisticated firms, and the public has a right to know whether companies are focused on preventing cybersecurity threats. This bipartisan legislation will greatly increase transparency and accountability, and will ultimately help cybersecurity resilience across our economy,” said Senator Jones.
The bipartisan Cybersecurity Disclosure Act of 2019 is supported by consumer advocates, investors, and securities law experts, including the North American Securities Administrators Association; the Council of Institutional Investors; the National Association of State Treasurers; the California Public Employees’ Retirement System; the Bipartisan Policy Center; Massachusetts Institute of Technology Professor Simon Johnson; Harvard Law Professor John Coates; Columbia Law Professor Jack Coffee; K&L Gates LLP; and the Consumer Federation of America.