Saturday, December 26, 2015

S 2410 Introduced – Cyber Board Membership

Earlier this month Sen. Reed (D,RI) introduced S 2410, the Cybersecurity Disclosure Act of 2015. According to a press release from Reed’s office the “bill seeks to strengthen and prioritize cybersecurity at publicly traded companies by encouraging the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at these companies”.

Cybersecurity Reporting Requirements

The bill would require the Securities and Exchange Commission to issue regulations requiring companies required to issue either an annual report {under 15 USC §78m or §78o(d)} or a proxy statement {under 15 USC §73n(a)} include in such reports a disclosure that{§2(b)}:

• A member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; or
• If no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.

The SEC is given one year to establish such regulations. In the meantime, it is required to work with the National Institute of Standards and Technology (NIST) to define “what constitutes expertise or experience in cybersecurity, such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats” {§2(c)}

Moving Forward

Reed is a high ranking member of the Senate Banking, Housing and Urban Affairs Committee, the Committee to which this bill was referred for consideration. Reed probably has the political pull within that Committee to have the bill considered. Whether or not he and his co-sponsor {Sen. Collins (R,ME)} have the pull to get this bill considered in the full Senate remains to be seen.

If this bill does make it to the floor of the Senate, there should be no organized opposition to its passage. I suspect that the bill will be (if considered at all) taken up under the Senate’s unanimous consent procedures.


It is interesting that in the definitions section of this bill the term ‘information system’ includes specific mention of “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers” {§2a(9)(b)}. Unfortunately, the inclusion of control systems does not seem to extend to the definition of ‘cyber threat’ as that continues to rely on the old IT standard of “an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system” {§2(a)(2)(A)}.

I’m pretty sure that this does not reflect a refusal to extend the definition of ‘cyber threat’ to control systems. It is much more likely that this is just a symptom of the continuing congressional misunderstanding of the differences between information systems and industrial control systems.

While the bill does not actually require cybersecurity representation on the boards of the covered companies, it will essentially have that effect on most of the reporting organizations. This means that there will be a surge of corporations of varying sizes looking for cybersecurity personnel to serve on boards or as specific advisors to boards. This isn’t going to cause a great expansion in the number of cybersecurity personnel, but it will increase the public visibility of many of those experts.

At this point we can only hope that the ranks of these new board members will include a substantial number of control system security experts. Particularly at those companies with a strong process background (energy and chemical sectors come quickly to mind) we should expect to see control system experts outnumbering information system security experts. It would be nice to see a significant number of control system experts making their way onto boards from device manufacturers (aircraft, automobile and medical manufacturers come to mind).

All of this will be influenced by the SEC and NIST as they define the cybersecurity expertise to be used in the new regulations. While it might be nice to see vanilla definitions that do not distinguish between information system and control system security backgrounds, I think that it might be more appropriate to specifically define each separately. Then the SEC could write their regulations to report on the specific types of cybersecurity expertise on the boards of covered organizations. This would give investors the best picture of the level and specificity of the cybersecurity expertise helping to guide the organization through the currently expanding cyber-threat landscape.

No comments:

/* Use this with templates/template-twocol.html */