Public Companies Will Be Required To Disclose If No Cyber Expert On BoD
The House Intelligence Committee introduced a bill that will require publicly traded companies to tell investors in their SEC filings whether they have someone who has cyber expertise on their board. If they do not, they need to explain the reasoning as to why such expertise is unnecessary (sounds like a risk assessment to me). This is a bipartisan bill and could get some real traction. If you have not been watching there is plenty going on in the regulatory space regarding cybersecurity and privacy, and it is only going to continue. There have been too many breaches, too many failed explanations, too many violations of trust and now Congress (and the courts) will get involved.
I am not saying it’s good or bad, but history is clear, the government will seek to regulate when companies aren’t living up to their corporate citizenship responsibilities and class action litigation comes in to punish for failures. U.S. companies have not had any real punishment for their breaches, therefore, their motivation to dig deeper and try to figure cybersecurity and privacy out has been lacking. There are enough frameworks, best practices, etc. out there to create an understanding of where you are from a cybersecurity and privacy risk perspective and a vision of how to reduce those risks. The board is there to understand all risk and not having that expertise available in the boardroom may be considered negligent in of itself.