U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and a member of the Senate Banking Committee, along with Sens. Jack Reed (D-RI) and Susan Collins (R-ME), introduced bipartisan legislation to better protect consumers, increase transparency for investors and ensure public companies are prioritizing cybersecurity and data privacy.
The Cybersecurity Disclosure Act asks publicly traded companies to include in its Securities and Exchange Commission (SEC) disclosures to investors information on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the publicly traded company. The legislation does not require companies to take any actions other than to provide this disclosure.
“All public companies face threats daily from determined cyberattackers out to steal their data. As we’ve seen with data breaches at retailers like Target and service providers like Yahoo, it is in the best interest of consumers and shareholders for companies to fully disclose the plans they’ve set in place to defend against them,” said Senator Warner. “This legislation provides needed transparency in an often shrouded process that directly affects the privacy of millions, and will serve as tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks.”
“Cybersecurity is one of the most significant and enduring challenges that all businesses, across industries, face and should be accounted for as part of the corporate risk management process. Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight,” said Senator Reed, a senior member of the Senate Banking Committee. “This legislation will highlight how focused firms are in terms of data security and safeguarding private information and should encourage more companies to improve their cyber-governance. Through simple disclosure, we can strengthen cybersecurity oversight.”
“As cyber-attacks become increasingly common, Congress must take action to better protect Americans from hackers attempting to steal sensitive data and personal information,” said Senator Collins, a member of the Senate Intelligence Committee. “Our bill would make sure companies disclose to the public the basic steps they are taking to protect their businesses from cyber attacks.”
Cyberattacks on companies and business continue to increase in their frequency and sophistication. 2016 was a record-breaking year for data breaches, increasing 40 percent from the prior year to 1,093 breaches, according to the Identity Theft Resource Center. However, according to Deloitte’s tenth Global Risk Management Survey of Financial Services Institutions, published this month, 42 percent of respondents considered their institution to be less effective in managing cybersecurity.
And according to the 2016-2017 NACD Public Company Governance Survey, “fifty-nine percent of respondents reported that they find it challenging to oversee cyber risk, and only 19 percent of respondents said that their boards possess a high level of knowledge about cybersecurity.”
The bipartisan Cybersecurity Disclosure Act of 2017 is supported by consumer advocates and securities law experts, including the Consumer Federation of America; Harvard University School of Law Professor John Coates; Columbia University School of Law Professor John Coffee; and former International Monetary Fund Chief Economist and Massachusetts Institute of Technology Professor Simon Johnson.
Sen. Warner is the cofounder of the Senate Cybersecurity Caucus and has been a leader in calling for better consumer protections from data theft. In the aftermath of the Target breach that exposed the debit and credit card information of 40 million customers, Sen. Warner in 2014 chaired the first congressional hearing on protecting consumer data from the threat posed by hackers targeting retailers’ online systems. Following the news of the first of many data breaches targeting Yahoo accounts, Sen. Warner called on the Security and Exchange Commission to investigate whether Yahoo fulfilled its obligations to investors by appropriately disclosing the breach that affected over 500 million accounts.