HR 6638 Introduced – Cybersecurity Governance

Back in July Rep. Himes (D,CT) introduced HR 6638, the Cybersecurity Disclosure Act of 2018. The bill directs the Security and Exchange Commission to require reporting companies to include in annual reports a listing of senior personnel with expertise or experience in cybersecurity.

The bill gives the gives the Commission 360 days to issue final rules requiring reporting companies “disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience” {2(b)(1)}.

Moving Forward

Himes and his two Democratic cosponsors {Rep. Meeks (D,NY) and Rep. Heck (D,WA)} are members of the House Financial Affairs Committee two which this bill was assigned for consideration. Normally, this could provide them with sufficient influence to have the bill considered in Committee. This late in the session, however, such consideration is unlikely.

Business interests with no cybersecurity representation (probably a large majority of middle size and smaller businesses) would be expected to oppose such reporting requirements. Since this is a major Republican constituency, I expect that there will be little or no support from Republicans on this bill.

Commentary

There is something odd about the way this bill was written. It includes a list of definitions in §2(a), two of which are never used in the bill. Those two definitions are the only reason that I am discussing the bill. The two terms? “Cybersecurity Threat” and “Information System”.

The first term is defined in two parts. The first {§2(a)(2)(A)}:

An action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.”

The second part of the definition is the now obligatory {§2(a)(2)(B)}:

Does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

Nothing new or interesting here; it is a now standard IT-centric cybersecurity definition. The next term would normally also fall within that description, but the crafters of this bill included an addendum to one of the standard ‘information system’ definitions {§2(a)(3)(B)}:

Includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.

We have seen both of these in other pieces of legislation, but the odd thing here is that neither definition has anything to do with the requirements of the bill. The definition of the key term in the bill; ‘expertise or experience in cybersecurity’ is left for the Commission to define; in consultation with NIST.

The best that I can figure is that Hines is using these two definitions to establish congressional intent that cybersecurity (for the purposes of this particular Commission regulation) includes control system security. Whether or not this would encourage reporting companies to include people with an ICS background in their governing bodies remains to be seen, but it might (should?) encourage the SEC to allow for such eventuality in their definition of ‘expertise or experience in cybersecurity’.