Feds might force your board to be cyber-aware

The Cybersecurity Disclosure Act of 2015 would require boards to specify which of their directors is a cybersecurity "expert"

Feds might force your board to be cyber-aware
Credit: Thinkstock

Laws frequently change the way that we do business. Whether it's taxes, regulations or some other requirement that we, as business people, are obliged to abide by, compliance is essential to avoiding legal actions and getting our jobs done without interference. 

Sometimes laws might even change the structure of your business. There's one pending in the US Senate right now, in fact, that hasn't gotten a lot of exposure but could change the composition of your board of directors and their responsibilities. 

The Cybersecurity Disclosure Act of 2015 (S.2410 of the 114th Congress) is a law proposed on Dec. 15, 2015 which states that if your business is publicly held (shares of your stock are sold on the open exchanges such as NYSE, NASDAQ and others) your official filings with the Securities Exchange Commission (SEC) must state who on the board is a cybersecurity expert. Moreover, if your board doesn't have a designated cybersecurity, you'll have to explain why.  

In government-speak it intends "To promote transparency in the oversight of cybersecurity risks at publicly traded companies." In other words, the government will be stepping in to make sure at least one of the directors on your board can help the company protect itself from hackers, identity theft, ransomware, etc. Whether you approve of the feds playing Big Brother or not, it would be inadvisable to ignore the impact this law might have on your company.

So does this law affect you? And if it does, what will you have to do to comply? That leads us to a few key questions:

What does The Cybersecurity Disclosure Act of 2015 mean?

In short, this proposed law states that every publicly held company in the United States - and there are thousands - must specify in their public filings which member of their board of directors is their designated cybersecurity expert (let's call this Director the "DCE"). If the board does not have a DCE the company must explain why it feels that it does not need one and what measures it is taking to protect itself from cybercrime and cyberattacks.

(Note that every public company must have such a board although boards can also be found in privately held companies at their option, unless they sell shares of the company to investors or internal employees, in which case a board is mandatory.)

The law is still in the pending/proposed stage but if it is passed, the SEC will create and publish guidelines within a year of its approval specifying what publicly traded companies must publish in their annual reports in regards to cybersecurity threat prevention.

Who will be affected by this law?

This law is intended to create a mandate for public companies only. However, any company that must report to investors, its own employees or, perhaps most importantly, its customers, about the measures it takes to protect the company's finances, operations, data and reputation should consider this law as a guideline for what it should be providing.

If it passes - then what?

If you are a publicly traded company you will be legally compelled to have someone on your board of directors who has expertise and/or experience in cybersecurity (although "expertise" has yet to be defined). If no current director has such expertise or experience it will be incumbent upon the company to either add one to its board or have one of its directors become sufficiently experienced, trained – or possibly certified – in cybersecurity matters, threat prevention, fraud detection, identity management and other forms of cybercrime.

Make no mistake about it - the SEC means business. In June 2014 Luis A. Aguilar, commissioner at the US Securities and Exchange Commission (SEC) said:

“Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril."

So if you do intend to add someone to the board or train an existing director to be a cybersecurity "expert" what does that mean?

This all begs the question: What qualifies someone as having "expertise" or "experience" in cybersecurity? In typically cryptic government fashion the proposed law doesn't say. It's a mystery so far as to what classifies someone as an "expert" or having had experience in the subject matter. That said, it's safe to assume that the following individuals would qualify as "cybersecurity experts":

  • Anyone certified as a CISSP (Certified Information Security Systems Professional) or higher by the International Information System Security Certification Consortium (ISC2) or other recognized security standards body.
  • Anyone with experience in running an organization or enterprise where they play an active role in day-to-day management of identity management or cybercrime prevention activities.
  • Anyone holding a patent in identity management, fraud detection, threat prevention or other cyber threat management software, processes or products.
  • Or, finally, anyone recognized by others as an expert in the subject matter by virtue of authoring multiple articles, white papers or analyses that have been peer reviewed, cited or quoted repeatedly by publicly recognized media.

Will the law pass?

Who knows? It's impossible to tell until it comes up for a vote. Nonetheless, given the regular and growing exposure of cyber threats in public news sources, exposures of hacking, ransomware, data theft, malicious damage, theft of personal information including Social Security numbers, credit card numbers, login IDs and passwords and medical information, it's reasonable to assume that the proposed law will have broad exposure and support. Even if it doesn't pass in its current form it's likely to generate enough buzz to force public company boards to make some changes.  

If the law doesn't pass are directors still at risk?

In short, yes. board directors, both collectively and individually, carry some risk. Directors are part of a unique business ecosystem - the CEO reports to the board and succession plans for the current CEO are the board's responsibility and it is incumbent upon them to ensure that the C-level executives in the company are doing whatever they need to do that protects the enterprise from hacking.

Unfortunately most boards are ill-equipped to handle cybersecurity issues at all and even less ready to affirm that they have a director who qualifies as a designated cyber security expert (DCE).

In short, if your board does not have a director who can be its DCE, start thinking about getting one now. Cyber attacks, theft, ransomware and other breaches are already problematic for boards and are likely to get significantly worse. It's essential to teach your directors to be cyberaware… and to find someone who can qualify as an expert.  

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.