WASHINGTON, DC – In an effort to better protect customers, increase transparency for investors, and ensure public companies are prioritizing cybersecurity and data privacy, U.S. Senators Jack Reed (D-RI), Susan Collins (R-ME), and Mark Warner (D-VA) are introducing the bipartisan Cybersecurity Disclosure Act of 2017.  The bill asks companies to disclose whether any members of their corporate boards have cybersecurity expertise -- similar to existing financial expert disclosures -- but does not require cyber expertise, only disclosure.

The Reed-Collins-Warner legislation would require publicly traded companies to include in its Securities and Exchange Commission (SEC) disclosures to investors information on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the company.  The legislation does not require companies to take any actions other than to provide this disclosure. 

Cyberattacks on companies and business continue to increase in their frequency and sophistication.  Indeed, 2016 was another record-breaking year for data breaches, which increased 40% from the prior year to 1,093 breaches according to the Identity Theft Resource Center.  

However, according to a new Deloitte survey of risk managers at financial institutions, just 42 percent of respondents considered their institution to be effective in managing cybersecurity risk.

And according to the 2016-2017 National Association of Corporate Directors (NACD) Public Company Governance Survey: “Fifty-nine percent of respondents reported that they find it challenging to oversee cyber risk, and only 19 percent of respondents said that their boards possess a high level of knowledge about cybersecurity.”

“Cybersecurity is one of the most significant and enduring challenges that all businesses, across industries, face and should be accounted for as part of the corporate risk management process.  Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight,” said Senator Reed, a senior member of the Senate Banking Committee.  “This legislation will highlight how focused firms are in terms of data security and safeguarding private information and should encourage more companies to improve their cybergovernance.  Through simple disclosure, we can strengthen cybersecurity oversight.”

“As cyber-attacks become increasingly common, Congress must take action to better protect Americans from hackers attempting to steal sensitive data and personal information,” said Senator Collins, a member of the Senate Intelligence Committee.  “Our bill would make sure companies disclose to the public the basic steps they are taking to protect their businesses from cyber attacks.”

“All public companies face threats daily from determined cyberattackers out to steal their data.  As we’ve seen with data breaches at retailers like Target and service providers like Yahoo, it is in the best interest of consumers and shareholders for companies to fully disclose the plans they’ve set in place to defend against them,” said Senator Warner, a member of the Banking Committee.  “This legislation provides needed transparency in an often shrouded process that directly affects the privacy of millions, and will serve as tool to urge other entities to follow through on  establishing a reliable strategy to counter cyberattacks.” 

The bipartisan Reed-Collins Cybersecurity Disclosure Act of 2017 is supported by consumer advocates and securities law experts, including the Consumer Federation of America; Harvard University School of Law Professor John Coates; Columbia University School of Law Professor John Coffee; and former International Monetary Fund Chief Economist and Massachusetts Institute of Technology Professor Simon Johnson.