Your Board’s Cyber Expertise (or Lack Thereof) May Soon Be Exposed

In December of 2015, two senators—in a bipartisan effort—introduced the Cybersecurity Disclosure Act of 2015. The proposal (not yet a law) has public companies on alert.

Companies aren’t taking notice simply because of their heightened awareness of cyber security incidents. The issue is the need to address yet another disclosure topic, and perhaps add a new board member, if this bill passes.

The new rules would pressure public companies to add cyber security experts to the board through a “disclose or explain” mandate. Within 360 days of the enactment, reporting companies would be obligated to do the following:

(1) to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; and
(2) if no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.

What constitutes expertise? The proposed bill leaves this definition to the Securities and Exchange Commission and the National Institute of Standards and Technology. The bill’s guidance in this regard is stringent:

Cybersecurity Expertise Or Experience.—For purposes of subsection (b), the Commission, in coordination with the National Institute of Standards and Technology, shall define what constitutes expertise or experience in cybersecurity, such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats.

Is the proposed bill a necessary intervention that will materially enhance the protection of shareholders who are otherwise unable to protect themselves? Probably not—but that doesn’t mean this bill won’t become law.

This bill is political; it has the appearance of addressing a perceived problem, but like most one-size-fits-all mandates is poorly calibrated and arguably even distorts the market.

As a general matter many of you probably agree that, in a well-functioning, liquid market such as the US market, companies that face new business issues will provide disclosure about the new issues if doing so would result in greater stock price support. Regulatory prompting is not necessary.

If a certain type of disclosure is important, the price per share of firms that give this type of disclosure to their shareholders will reflect the value of this disclosure to shareholders.

Conversely, similar firms that do not give their shareholders good disclosure would suffer from a lower price per share.

Will shareholders of a window manufacturer with no proprietary data or retail customer records care about the proposed disclosure? Probably not. Will shareholders of a retailer or cloud company value the proposed disclosure? Probably yes.

If the proposed Cybersecurity Disclosure bill passes and the proposed disclosures are required of all firms, we won’t be able to use the market to determine whether, in fact, shareholders value having the disclosure.

It’s unfortunate when regulators impose burdensome but irrelevant disclosure requirements on companies; it’s a waste of shareholder resources.

The classic example of this sort of disclosure burden—one that was clearly politically motivated, as opposed to being a nuanced reaction to something shareholders needed but couldn’t get despite a well-functioning market—is the conflict minerals disclosure.

Regardless of where this proposed disclosure shakes out, boards have a duty to be up to speed on cyber issues vis-à-vis the companies they serve. There are a raft of continuing education opportunities available on this topic, and engaged directors are attending them.

Coming up on February 18, the Silicon Valley Directors’ Exchange is hosting a morning program with breakfast from 7 a.m. to 9:30 a.m. on cyber attack crisis management.

(Full disclosure: I’m on the board of the Silicon Valley Directors’ Exchange.)

My colleague Lauri Floresca, senior vice president and cyber team lead at Woodruff Sawyer, is a recognized thought leader on cyber liability insurance risk management. She’ll be joined with other experts in a panel to discuss:

• The board’s obligation to understand the company’s IT function and cyber response plan.
• Practical tips on crisis management in the event of a breach.
• Legal and insurance considerations for a breach response.
• A director’s duties, and the pros and cons of working with law enforcement and regulatory agencies.

For more information or to sign up for the cyber event hosted by Silicon Valley Directors’ Exchange, go here.

The views expressed in this blog are solely those of the author. This blog should not be taken as insurance or legal advice for your particular situation. Questions? Comments? Concerns? Email: phuskins@woodruffsawyer.com.