On December 17, 2015, a new bill was introduced to the US Senate to encourage the disclosure of cybersecurity expertise and experience on corporate boards for publicly traded companies. The Cybersecurity Disclosure Act of 2015 was developed in response to the recent wave of data breaches across a number of industries. The legislation would require publicly traded companies to disclose the cybersecurity expertise that is represented on its board of directors or to disclose what other steps the company has taken to identify or evaluate nominees for this board level cybersecurity position. The bill does not, however, require that any specific action be taken; it is focused solely on disclosure of the current board’s cybersecurity expertise.
In addition, the potential legislation would also require that the Securities and Exchange Commission (SEC), along with the National Institute of Standards and Technology (NIST), define what constitutes cybersecurity expertise, including professional qualifications to oversee cybersecurity program functions and/or what constitutes cybersecurity experience (e.g., detecting, preventing, mitigating or addressing cybersecurity risks and threats).
Bottom line: Be proactive, prepared and aware
While the legislation has only been introduced at this point, it highlights the importance of board members and the audit committee in the entire oversight process of cybersecurity. Most board members do not typically possess cyber knowledge, yet their fiduciary responsibility includes protecting valuable assets – in this case, data and information.
Whatever the outcome of the bill, boards should engage management periodically to understand the company’s cybersecurity management program. In addition, board directors should seek opportunities to upgrade their own knowledge of cybersecurity risk.
What to do now
- Enhance your own cybersecurity knowledge. Start with an overview of what boards and audit committees need to know now and understand the requirements for an effective cybersecurity management program.
- Meet with management periodically to familiarize yourself with the company’s initiatives to determine its cybersecurity risk profile and receive regular updates on the company’s cybersecurity program.
- Require that management obtain a periodic cybersecurity risk assessment by an independent third-party consultant that evaluates the company’s cybersecurity processes, policies, technology and governance.
- Closely monitor developments related to cybersecurity legislation, regulation and oversight, including the SEC.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.