On December 17, 2015, Senators Jack Reed (D-RI) and Susan Collins (R-Maine) introduced the Cybersecurity Disclosure Act of 2015, S.2410 (the “Act”), with the purpose of promoting “transparency in the oversight of cybersecurity risks at publicly traded companies.”
The Act would apply to publicly traded companies registered under section 12 of the Securities Exchange Act of 1934 (the “1934 Act”) or companies required to file reports under section 15(d) of the 1934 Act. The Act mandates the Securities and Exchange Commission (the “SEC”) to issue rules that require publicly traded companies to disclose any board director or general partner that has cybersecurity expertise or experience. In its annual reports, the company must name those directors or partners and detail the nature of that person’s expertise or experience. The Act tasks the SEC and the National Institute of Standards and Technology with defining what constitutes expertise or experience in cybersecurity.
If there are no directors or partners with such cybersecurity expertise, then the company must describe “what other cybersecurity steps taken by the reporting company were taken into account” by those responsible for nominating new members to the board.
What does this mean for you?
It is important to note that the Act does not propose that companies should be required to elect a cybersecurity expert onto its board of directors. Instead, it would likely encourage company shareholders to include cybersecurity experts on its board and to be better aware of cybersecurity concerns. Although it is uncertain whether the Act will be approved, lawmakers’ increased interest into companies’ cybersecurity protocols should make companies evaluate their own cybersecurity policies and consider how to implement cybersecurity concerns into their business decision-making process.