New legislation in Congress would push publicly traded companies to include cybersecurity experts on their boards of directors, but some security experts aren’t fans of the bill.
On March 1, a bipartisan group of five senators reintroduced the Cybersecurity Disclosure Act, which would require publicly traded companies to tell the Securities and Exchange Commission whether any members of their boards are cybersecurity experts. If no member of the board is, the bill would require the company to tell the SEC that having the expertise is not necessary because of other cybersecurity steps it has taken.
The legislation is getting mixed reviews, with some cybersecurity experts saying it would help raise awareness of cyberthreats at the corporate board level, while others say it may not have much of an effect. Similar legislation introduced in 2017 failed to pass.
“My view is this is the sort of simplistic legislation [and] regulation that we get when people who don’t understand cybersecurity decide they ought to be regulating cybersecurity,” said Larry Clinton, president of the Internet Security Alliance, a trade group that publishes the Cyber Risk Handbook for the National Association of Corporate Directors.
One of the major problems with the bill is a “complete lack of consensus” about the definition of a cybersecurity expert, Clinton added.
The bill tasks the SEC and the National Institute of Standards and Technology to come up with a definition.
If the definition of an expert is someone who has passed a cybersecurity certification, the person may not have the core skills needed in a board position, such as setting strategy or managing finances, according to Mike Banic, vice president of marketing at Vectra, a vendor of artificial intelligence-based cybersecurity.
The bill’s sponsors may have an incorrect view of how large companies are prioritizing cybersecurity, Banic added. “Cybersecurity and risk management have been top priorities and a top source of investment for the past several years,” he said. At many companies, “board members have made cybersecurity a priority and the chief information security officer is frequently invited to present or submit content for the board members to review.”
It’s also unclear where boards would find the cybersecurity experts, Clinton said.
“By almost any definition we don’t have enough cybersecurity experts to populate every organization’s board,” he said. “We have tens of thousands of core cybersecurity jobs currently open because we can’t find qualified people for those base-level positions, let alone enough experts for every board.”
[Related: What Team Trump is finally getting right about cybersecurity]
If the definition of “cybersecurity expert” turns out to be someone who understands how cyberattacks happen on a technical level, that’s more of a job for management than for the board, Clinton added.
Banic agreed. “Cybersecurity is a front-line battle and someone in charge of cybersecurity operations needs to be there every day to understand the correct strategy for the company,” he said. “I would rather see a requirement for cybersecurity representation at the executive level rather than at the board level.”
The bill gives companies several options for meeting the disclosure requirement, said Sen. Jack Reed, D-R.I., its primary sponsor. Companies would still be able to decide for themselves how to meet their cybersecurity needs, he said on the Senate floor when introducing the bill. Some companies could hire outside consultants, others could choose to boost their staff cybersecurity expertise, and others could put an expert on their boards, he said.
“Investors and customers deserve a clear understanding of whether publicly traded companies are prioritizing cybersecurity and have the capacity to protect investors and customers from cyber-related attacks,” Reed added. “Our legislation aims to provide a better understanding of these issues through improved SEC disclosure.”
Other supporters said the bill is appropriate, given modern dependence on information technology.
“Now that all companies rely on digital technologies like software and the Internet to run their businesses, the majority of strategic corporate decisions require a solid understanding of digital risk,” said Phil Neray, vice president of industrial cybersecurity for CyberX, an industrial control security company. “It makes a lot of sense to encourage public companies to have cyber experts on their boards, so they can bring an informed perspective about digital risk to important board conversations.”
The bill would force the responsibility for cybersecurity into the board room, and that’s a good thing, added Keenan Skelly, vice president of global partnerships and security evangelist at cybersecurity training vendor Circadence.
“It will be a culture change for many boards, particularly those in technology who tend to discount security due to the associated costs,” Skelly added. “But in the end, it will help protect the organization.”
