Congress is attempting again to bolster public companies’ cybersecurity defenses by requiring them to tell regulators whether any of their board members are cybersecurity experts or explain why that isn’t necessary.
Introduced February 28, 2019 by a bipartisan group of five senators, the Cyber Security Disclosure Act would require companies to disclose to the Securities and Exchange Commission (SEC) “whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience.”
No similar bill has been introduced yet in the House of Representatives.
The benefit. Such a law could potentially provide cybersecurity experts within a company with more knowledgeable board members with whom to hash out the company’s cyber-defense strategy. The bill follows similar legislation introduced in 2017 that failed to pass.
Skopos Labs’s Automated Predictive Intelligence methodology gives the bill a 33% chance of being enacted. NeuGroup members have noted cybersecurity as the issue that keeps them up a night, and the bill was noted at a recent meeting of The Corporate [Enterprise Risk Management] Group.
Larry Clinton, president of the Internet Security Alliance (ISA), a Washington, D.C.-based trade association advocating for a sustainable system of cybersecurity, noted that corporate boards globally have recognized cybersecurity as an enterprise-wide risk management issue. Consequently, he said, it should be managed by a group with a corporate-wide view. Members, he added, could include IT, finance, human resources, legal, compliance and public relations, and the effort should be independently funded and not a part of the IT budget.
The bill’s problems. Mr. Clinton said one major problem with the bill is its assumption that one person on a board could or would be an “expert” in the totality of the cyber risk management.
“The single expert model embedded in this bill is contrary to modern cyber risk management approaches and would likely be counterproductive in terms of enhancing security,” Mr. Clinton said.
He added that such a law could favor making that single expert someone with an IT background, but in that case solutions will likely be IT-focused, even though technology addresses how the attacks occur but not the more relevant issue of why they occur.
“The internet is inherently vulnerable, and what has come after—mobile, internet-of-things (IoT), cloud computing, etc –has enhanced that vulnerability,” Mr. Clinton said. “Nevertheless, the number one vulnerability in an organization is its people. If you have IT in charge, you will get IT solutions.”
A better bill would … Mr. Clinton said there is already a shortage of experts with cyber expertise, so requiring such expertise at the board level would be problematic for many companies. A more effective bill, he said, would help create such expertise. The bill could also seek to create incentives to develop private-industry solutions. Mr. Clinton noted that currently there’s little incentive for IoT security, but incentives like what already exists in other industries, such as strong safety records speeding up pharmaceutical companies’ drug approvals by regulators, could be applied.
In addition, he said, cybercrime is a $600 billion to $1 trillion business, with promotions, sales, and money back guarantees—in fact, the current price over the Dark Web to access a company’s email is $500.
“If we want to deter these guys, we have to start putting some of them in jail. The FBI is really good, but it is vastly out-resourced,” he said. “In addition, we need to revamp international laws so we can legitimately track this global crime wave.”
Mr. Clinton also said a more effective bill would give the regulatory responsibilities to the Department of Homeland Security rather than the SEC, which often has an adversarial relationship with the companies it regulates.