HR 5069 Introduced – Cybersecurity Reporting

Last week Rep. McDermott (D,WA) introduced HR 5069, the Cybersecurity Systems and Risks Reporting Act. The bill would modify the Sarbanes-Oxley (SOX) Act of 2002 (15 USC Chapter 98) adding cybersecurity reporting requirements to the financial reporting requirements of that Act.

Definitions

Section 2 of the bill starts out by modifying some existing definitions in the SOX Act. The definition of audit {15 USC 7201(a)(2)} is modified by adding ‘and information systems’ after the words ‘financial statements’. In the term ‘audit committee’ {§7201(a)(3)} the bill would replace ‘financial reporting processes’ with ‘financial, and cybersecurity systems reporting processes’. Finally, in §7201(a)(3), the definition of ‘professional standards’ would be modified by adding ‘cybersecurity systems standards and practices,’ after the ‘quality control policies and procedures,’.

Three new definitions would then be added to the SOX Act list of definitions. The new terms would be:

• Information System;

• Cybersecurity System; and

• Cybersecurity Risk

The key definition here is ‘information system’. It is defined this way {new §7201(a)(18)}:

“The term ‘information system’ means a set of activities, involving people, processes, data, or technology, which enable the issuer to obtain, generate, use, and communicate transactions and information to maintain accountability and measure and review the issuer’s performance or progress towards achievement of objectives.”

Cybersecurity Requirements

The bill goes on to modify three additional sections of the SOX Act where it conflates cybersecurity with financial systems. For example, it changes the title of §7241 to “Corporate responsibility for financial reports and information systems” [added verbiage] and makes internal changes adding requirements for the newly listed ‘principal cybersecurity systems officer’.

Again in §7262, the new title is “Management assessment of internal controls and information systems” [added verbiage] with added instructions for “adequate internal control and cybersecurity systems structures and procedures for financial and information systems reporting”. The bill would essentially duplicate current financial reporting requirements for information systems.

Finally, in §7265, the new title is “Disclosure of audit committee financial and cybersecurity systems experts” [added verbiage]. The new language would require the Securities and Exchange Commission (SEC) to consult with the Secretaries of Homeland Security and Commerce to come up with an appropriate definition of ‘cybersecurity systems expert’.

Moving Forward

McDermott is not a member of the House Financial Services Committee; the committee to which this bill was assigned for consideration. This makes it unlikely that this bill will receive consideration in that Committee. There is an outside chance that this bill could be offered as a floor amendment to the Financial Services spending bill, but it is unlikely that it would survive a vote on the floor. Corporate opposition to the huge expansion of the SOX Act requirements proposed in this bill would be fierce.

Commentary

Ignoring for the moment the question of just how effective the SOX Act has been in preventing financial irregularities in corporate finances, conflating cybersecurity issues with financial governance seems to be counter-productive. Adding corporate cybersecurity governance requirements to the SOX Act makes a certain amount of sense, but they would probably have been more effective if they had been added as a new and separate section of the Act.

Of course, the bigger issue here (as elsewhere in cybersecurity regulation) is where would the SEC come up with the trained personnel to properly evaluate (and ultimately investigate) cybersecurity governance. Not only would these people need a background in cybersecurity (of which there is already an ever-growing mismatch between positions and trained personnel), but they would also have to have a background (or training) in managing corporate cybersecurity programs. It will be a long time coming for there to be many folks with that background available for government service.

Finally, it absolutely astounds me that this bill would so specifically restrict cybersecurity governance to IT and financial systems. While there are certainly more companies that are at risk for financial harm to attacks on these systems, there are still a very large number of companies (and that includes some very large companies) whose financial stability relies on the consistent operation of their industrial control systems. Ignoring that set of cybersecurity risks in a cybersecurity governance regulation system just makes no sense.