Solution Providers Cheer Proposed Bill To Require Public Company Cybersecurity Disclosures With SEC

A recent bill proposed in the Senate could require boards of directors at public companies to disclose their cybersecurity risk and competencies, a move solution providers said is a much needed step to increase board-level accountability for cybersecurity.

The Cybersecurity Disclosure Act of 2017, or S536, was proposed by Sen. Mark Warner (D-VA), Sen. Jack Reed (D-RI) and Sen. Susan Collins (R-ME), and would require companies to report the expertise of the board of directors to the U.S. Securities and Exchange Commission (as defined in consultation with NIST) and what steps the company is taking to improve cybersecurity. The company would report these items to the SEC as part of its annual filings under the bill.

The bill was introduced in the Senate earlier this month.

[Related: Accenture Investing $900M To Retrain 200,000 Employees In Next-Generation Technology]

Sponsored post

In a statement, Warner said the bill is designed to provide transparency to shareholders as to what risk public companies face when it comes to cybersecurity.

"It is in the best interest of consumers and shareholders for companies to fully disclose the plans they've set in place to defend against [data breaches]," Warner said in a statement. "This legislation provides needed transparency in an often-shrouded process that directly affects the privacy of millions, and will serve as a tool to urge other entities to follow through on establishing a reliable strategy to counter cyberattacks."

Solution providers cheered the proposed bill, saying it is a much-needed first step to increase board-level accountability for cybersecurity spending and potential breaches. Matt Johnson, CEO of Baltimore, Md.-based Phalanx Secure Solutions, said in an email that "public disclosure is a good first step" to helping improve cybersecurity transparency at large companies.

"It is a needed piece of legislation. Too many people are putting trust in these larger companies without fully knowing what is going on behind the scenes. How many times have we purchased something online from a public company, put in all of our personal data and then have trust in their security measures only to find out later that they have been breached," Johnson said.

The legislation comes as cybersecurity is already becoming an issue that boards of directors and C-suite executives are caring about, given the implications a breach can have on a company's reputation, finances, or even the CEO's job. Ryan LaSalle, Accenture Security's managing director of growth and strategy, said he is "absolutely" seeing security becoming top of mind for company boards of directors and top executives. According to a recent study by Accenture of around 2,000 global companies, 70 percent said that security is a board-level concern.

"It is absolutely a board-level issue," LaSalle said. "We're seeing it in all of our customer base."

Ron Temske, vice president of security solutions at Logicalis U.S., said he is seeing the same trend. Temske said he sees interest level in cybersecurity at an all-time high from boards of directors, although he said deep cybersecurity expertise on boards has yet to come. That's a broad departure from the past, he said, when cybersecurity was hidden under the CIO. Now, he said he often sees CISOs reporting to the chief financial or chief legal officers as the conversation shifts to prioritize security budgets.

"I certainly see the interest level at the board at an all-time high. There's no question there," Temske said.

Accenture's LaSalle said while the boards are paying more attention, they are looking to have a different type of conversation. Instead of a technology conversation, he said talks tend to focus around business risk, with security as a way to lower risk to the organization. In particular, he said executives are looking to understand where a company stands from a cyber-risk perspective and what they can do to improve that down the road. That's a trend that Temske said he sees, as well.

"When we look back even five years ago, the focus was primarily on technology. We were brought in to talk about the latest technical solution and now we're talking about risk assessment, the value of your assets, and how are you protecting your brand or your reputation."

LaSalle said solution providers need to be able to have two types of conversations with the boards of directors and top executives. First, he said he has conversations around the threat landscape and how that could affect a particular company's risk profile. Second, he said Accenture looks to help them make the right decisions based on the company's risk profile, industry peers and strategy.

It has not been determined yet when the bill will go up for vote in the Senate.