On December 17, 2015, a new bill was introduced to the US Senate to encourage the disclosure of cybersecurity expertise and experience on corporate boards for publicly traded companies. The Cybersecurity Disclosure Act of 2015 was developed in response to the recent wave of data breaches across a number of industries. The legislation would require publicly traded companies to disclose the cybersecurity expertise that is represented on its board of directors or to disclose what other steps the company has taken to identify or evaluate nominees for this board level cybersecurity position. The bill does not, however, require that any specific action be taken; it is focused solely on disclosure of the current board’s cybersecurity expertise.
In addition, the potential legislation would also require that the Securities and Exchange Commission (SEC), along with the National Institute of Standards and Technology (NIST), define what constitutes cybersecurity expertise, including professional qualifications to oversee cybersecurity program functions and/or what constitutes cybersecurity experience (e.g., detecting, preventing, mitigating or addressing cybersecurity risks and threats).
While the legislation has only been introduced at this point, it highlights the importance of board members and the audit committee in the entire oversight process of cybersecurity. Most board members do not typically possess cyber knowledge, yet their fiduciary responsibility includes protecting valuable assets – in this case, data and information.
Whatever the outcome of the bill, boards should engage management periodically to understand the company’s cybersecurity management program. In addition, board directors should seek opportunities to upgrade their own knowledge of cybersecurity risk.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.