S 592 Introduced – Cybersecurity Reporting

Last month Sen. Reed (D,RI) introduced S 592, the Cybersecurity Disclosure Act of 2019. The bill would require the Securities and Exchange Commission to establish rules requiring the reporting of whether there was cybersecurity expertise on the board of directors or other governing body of each company required to file annual reports. The bill is very similar to HR 6638 that was introduced last summer in the 115^th Congress. No action was taken on that earlier bill. It looks like Rep. Himes reintroduced that bill in the House earlier this week but it will be a week or two until the bill is printed.

Differences Between Bills

The main difference between S 592 and the earlier House bill is that this bill amends the Securities Exchange Act of 1934 by adding a new §14C which would become 15 USC 78n-3 if the bill becomes law. The earlier bill made essentially the same requirements as a stand alone measure.

The new bill also takes a little bit of puffery out of the final paragraph of the bill. The change is shown below:

“(c) CYBERSECURITY EXPERTISE OR EXPERIENCE.— For purposes of subsection (b), the Commission, in consultation with NIST, shall define what constitutes expertise or experience in cybersecurity, such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats, using commonly defined roles, specialities, knowledge, skills, and abilities, such as those provided in NIST Special Publication 800–181 entitled ‘‘NICE Cybersecurity Workforce Framework’’, or any successor thereto.”

Interestingly, this language deletion removes the final faint traces for the need for the definition of the term ‘information system’ that remains in the bill. The control system friendly definition of ‘information system’ was used to support the use of that term in the definition of ‘cybersecurity threat’ that was only used in the phrase deleted above. Both definitions remain in the new bill.

Moving Forward

Reed is a member of the Senate Banking, Housing and Urban Affairs Committee to which this bill was assigned for consideration. Additionally, his cosponsors include Sen. Warner (D,VA), the Ranking Member of the Security, Insurance, and Investment Subcommittee and two Republican members of the Committee. This means that it is very likely that the bill will be considered in Committee.

There is nothing in the bill that would seem to draw any obvious opposition, so it should pass in Committee. Whether or not it will make it to the floor for consideration is very difficult to determine. This bill would normally be considered under the unanimous consent process and a single voice in opposition would prevent it from being considered under that process. And the voice could be raised in ire over something the SEC had done and have nothing to do with this bill.

Commentary

This is all and good to call for cybersecurity experience on corporate boards, but there are not that many people that would fit the probable description to go around to all of the corporate boards in the country.

The bigger question would be is it really necessary? While it would be hard to find a corporation that did not have at least some level of cybersecurity exposure, do all of them have enough that require board level oversight? With the relative scarcity of board-level qualified cybersecurity experts available, there should probably be mandatory cybersecurity representation on some specific subset of corporations, either size limits or in specific sectors (banking, insurance, energy sector, etc). Of course, that bill would be much harder to write.