We hear about data breaches every week in the news, and in response to that reality, companies are starting to talk about them in board rooms as well.
Organizations are taking today's data breach environment very seriously—to the point of reporting on security threat management efforts at the board level—because they understand the economic impact to their businesses, and more importantly to their brands.
But should boards themselves be required to include at least one member with cybersecurity-specific expertise? According to S.2410 - Cybersecurity Disclosure Act of 2015, a cybersecurity bill introduced late last year by Senators Jack Reed (D-RI) and Susan M. Collins (R-ME), they should. And if not, the bill stipulates that boards (or other governing bodies) of publicly-traded companies should be prepared to give an account of their efforts to recruit such an individual to join their group.
While its intent appears to be the establishment of top-down cybersecurity oversight, the bill leaves several unanswered questions:
- What would qualify someone as having the appropriate level of cybersecurity expertise, and might these requirements vary based on the type of organization?
- There is a dearth of cybersecurity expertise in this country. How easy will it be for companies to fill these board seats?
- Given that the requirements would be monitored through annual reporting under the Securities Exchange Act of 1934, would a company's inability to properly satisfy the requirements be treated as an SEC violation?
As a CEO who reports to a board of directors, I appreciate and support increased accountability at the board level. However, I question whether we need legislation to enforce this. Instead, public and private organizations should voluntarily step up their cybersecurity games and adopt measures such as these as a best practice. This just makes good business sense.