Earlier this month Sen. Reed (D,RI) introduced S 2410,
the Cybersecurity Disclosure Act of 2015. According to a press
release from Reed’s office the “bill seeks to strengthen and prioritize
cybersecurity at publicly traded companies by encouraging the disclosure of
cybersecurity expertise, or lack thereof, on corporate boards at these
companies”.
Cybersecurity
Reporting Requirements
The bill would require the Securities and Exchange
Commission to issue regulations requiring companies required to issue either an
annual report {under 15 USC §78m
or §78o(d)}
or a proxy statement {under 15
USC §73n(a)}
include in such reports a disclosure that{§2(b)}:
• A member of the governing body,
such as the board of directors or general partner, of the reporting company has
expertise or experience in cybersecurity and in such detail as necessary to
fully describe the nature of the expertise or experience; or
• If no member of the governing body of the reporting
company has expertise or experience in cybersecurity, to describe what other
cybersecurity steps taken by the reporting company were taken into account by
such persons responsible for identifying and evaluating nominees for any member
of the governing body, such as a nominating committee.
The SEC is given one year to establish such regulations. In
the meantime, it is required to work with the National Institute of Standards
and Technology (NIST) to define “what constitutes expertise or experience in
cybersecurity, such as professional qualifications to administer information
security program functions or experience detecting, preventing, mitigating, or
addressing cybersecurity threats” {§2(c)}
Moving Forward
Reed is a high ranking member of the Senate Banking, Housing
and Urban Affairs Committee, the Committee to which this bill was referred for
consideration. Reed probably has the political pull within that Committee to
have the bill considered. Whether or not he and his co-sponsor {Sen. Collins (R,ME)}
have the pull to get this bill considered in the full Senate remains to be
seen.
If this bill does make it to the floor of the Senate, there
should be no organized opposition to its passage. I suspect that the bill will
be (if considered at all) taken up under the Senate’s unanimous consent
procedures.
Commentary
It is interesting that in the definitions section of this
bill the term ‘information system’ includes specific mention of “industrial
control systems, such as supervisory control and data acquisition systems,
distributed control systems, and programmable logic controllers” {§2a(9)(b)}. Unfortunately,
the inclusion of control systems does not seem to extend to the definition of ‘cyber
threat’ as that continues to rely on the old IT standard of “an unauthorized effort
to adversely impact the security, availability, confidentiality, or integrity
of an information system or information that is stored on, processed by, or
transiting an information system” {§2(a)(2)(A)}.
I’m pretty sure that this does not reflect a refusal to
extend the definition of ‘cyber threat’ to control systems. It is much more likely
that this is just a symptom of the continuing congressional misunderstanding of
the differences between information systems and industrial control systems.
While the bill does not actually require cybersecurity
representation on the boards of the covered companies, it will essentially have
that effect on most of the reporting organizations. This means that there will
be a surge of corporations of varying sizes looking for cybersecurity personnel
to serve on boards or as specific advisors to boards. This isn’t going to cause
a great expansion in the number of cybersecurity personnel, but it will
increase the public visibility of many of those experts.
At this point we can only hope that the ranks of these new
board members will include a substantial number of control system security
experts. Particularly at those companies with a strong process background
(energy and chemical sectors come quickly to mind) we should expect to see
control system experts outnumbering information system security experts. It
would be nice to see a significant number of control system experts making
their way onto boards from device manufacturers (aircraft, automobile and
medical manufacturers come to mind).
All of this will be influenced by the SEC and NIST as they
define the cybersecurity expertise to be used in the new regulations. While it
might be nice to see vanilla definitions that do not distinguish between
information system and control system security backgrounds, I think that it
might be more appropriate to specifically define each separately. Then the SEC
could write their regulations to report on the specific types of cybersecurity
expertise on the boards of covered organizations. This would give investors the
best picture of the level and specificity of the cybersecurity expertise
helping to guide the organization through the currently expanding cyber-threat
landscape.
Posts
No comments:
Post a Comment