As businesses of all sizes increase spending on cybersecurity – projected to top $124 billion this year – a bipartisan group of lawmakers in Congress wants public companies to go one step further: Install a cyber expert on their boards of directors.
The Cybersecurity Disclosure Act has been introduced several times in recent years, but now it’s gaining traction on Capitol Hill. The House Financial Services Committee approved an amended version of the bill on Dec. 10. Introduced by Rep. Jim Himes, D-Conn., the bill won committee approval on a party-line vote, with Democrats supporting it and all Republicans opposed.
The measure calls on the Securities and Exchange Commission (SEC) to issue rules requiring public companies to disclose in annual reports or proxy statements whether board members have cybersecurity “expertise.” If no board member has experience or expertise in cybersecurity, the bill would require the company to describe steps it took to recruit directors with an information technology security background and what other steps the company has taken to strengthen its cyber defenses.
The legislation leaves it up to the SEC and the National Institute of Standards and Technology to define cybersecurity expertise. If the bill were enacted, that rulemaking process to define cyber expertise would be subject to a public comment period.
Corporate America is investing billions of dollars in addressing cyber vulnerabilities, fortifying current technologies and protecting consumer data. Employees are being trained on phishing scams, and corporate executives are drafting companywide guidelines for cyber monitoring, operations and governance. Jamie Dimon, chairman and CEO at J.P. Morgan Chase & Co., told shareholders that the investment bank spends $600 million annually and tasks more than 3,000 employees with cybersecurity.
The increased corporate focus on cyber defenses isn’t misplaced. Barry Melancon, president and CEO of the American Institute of CPAs, predicts the worldwide cost of cybercrimes will hit $6 trillion by 2021.
Still, Himes said too few public companies are prioritizing cybersecurity and data privacy, and his bill seeks to change that.
“The legislation emphasizes the importance at this point in time of having cybersecurity expertise at the highest levels of publicly traded companies,” Himes said during committee consideration of his bill. “We’re not asking firms to catalog all the avenues of cyber intrusion or to estimate the amount of losses if they were to be a victim. We’re simply asking that they disclose whether anyone on their board of directors has the kind of capability necessary to provide the oversight in the cybersecurity realm, and if not, to explain to investors how they think about this.”
Himes described his bill as “modest” and “light-touch,” requiring only that companies disclose their board-level cyber expertise, not that companies must have such representation.
The legislation does enjoy at least some bipartisan support. Sen. Jack Reed, D-R.I., first introduced the Cybersecurity Disclosure Act in 2015, and this year’s version of Reed’s bill is backed by Republican Sens. Susan Collins of Maine, John Kennedy of Louisiana and Kevin Cramer of North Dakota.
Although the White House hasn’t weighed in on the current bill, President Donald Trump’s Council of Economic Advisors, in a 2018 report, wrote that “mandatory disclosure requirements [could] incentivize firms to adopt better business practices,” including investing more in cyber defenses. Himes cited that statement as implicit Trump administration backing of using the leverage of disclosure to prod companies to act.
SEC Chairman Jay Clayton also has promoted more corporate disclosure of cyber risks and incidents. He said in 2018 that SEC cybersecurity guidance would “promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”
Critics of the legislation say Congress shouldn’t dictate policy expertise for public boards and that the bill reflects a fundamental misunderstanding of directors’ roles. Others called the bill “simplistic,” saying there is no consensus even within the tech industry on who is a cybersecurity expert and that there aren’t enough qualified cyber experts to populate the board of every publicly traded company.
The disclosure requirement also could become a tool of plaintiffs’ attorneys. They could bring suits against companies that elect not to have a board-level cyber expert, accusing them of violating fiduciary duties to shareholders.
Saying it had “concerns” about the bill, the U.S. Chamber of Commerce called the legislation’s disclosure requirement a “comply or explain” model that “conflates the responsibilities of a board of directors with that of management.”
It’s unclear if Democratic leaders will schedule a floor vote in the House for Himes’ bill. But the party-line vote in the committee likely at least delays House consideration.
Even if the bill were to win approval in the Democrat-controlled House, it’s difficult to see it gaining traction in the Republican-controlled Senate, where many GOP lawmakers would object the federal government impermissibly micromanaging the makeup of corporate boards and interfering in corporate governance.
Still, the political dynamics could change in an instant if there’s a new, significant data breach, and under those circumstances, bills like those from Reed and Himes could win quick congressional approval.