Laws frequently change the way that we do business. Whether it’s taxes, regulations or some other requirement that we, as business people, are obliged to abide by, compliance is essential to avoiding legal actions and getting our jobs done without interference.
Sometimes laws might even change the structure of your business. There’s one pending in the US Senate right now, in fact, that hasn’t gotten a lot of exposure but could change the composition of your board of directors and their responsibilities.
CSO Threat Intelligence Survival Guide
If enterprises want to understand how they can better invest in security defenses, build the necessary
The Cybersecurity Disclosure Act of 2015 (S.2410 of the 114th Congress) is a law proposed on Dec. 15, 2015 which states that if your business is publicly held (shares of your stock are sold on the open exchanges such as NYSE, NASDAQ and others) your official filings with the Securities Exchange Commission (SEC) must state who on the board is a cybersecurity expert. Moreover, if your board doesn’t have a designated cybersecurity, you’ll have to explain why.
MORE ON CSO: The things end users do that drive security teams crazy
In government-speak it intends “To promote transparency in the oversight of cybersecurity risks at publicly traded companies.” In other words, the government will be stepping in to make sure at least one of the directors on your board can help the company protect itself from hackers, identity theft, ransomware, etc. Whether you approve of the feds playing Big Brother or not, it would be inadvisable to ignore the impact this law might have on your company.
So does this law affect you? And if it does, what will you have to do to comply? That leads us to a few key questions:
What does The Cybersecurity Disclosure Act of 2015 mean?
In short, this proposed law states that every publicly held company in the United States – and there are thousands – must specify in their public filings which member of their board of directors is their designated cybersecurity expert (let’s call this Director the “DCE”). If the board does not have a DCE the company must explain why it feels that it does not need one and what measures it is taking to protect itself from cybercrime and cyberattacks.
(Note that every public company must have such a board although boards can also be found in privately held companies at their option, unless they sell shares of the company to investors or internal employees, in which case a board is mandatory.)
The law is still in the pending/proposed stage but if it is passed, the SEC will create and publish guidelines within a year of its approval specifying what publicly traded companies must publish in their annual reports in regards to cybersecurity threat prevention.