Washington, D.C. - In an effort to better protect customers, increase transparency for investors, and ensure public companies are prioritizing cybersecurity and data privacy, U.S. Senator Susan Collins (R-ME) joined Senators Jack Reed (D-RI), Mark Warner (D-VA), John Kennedy (R-LA), and Doug Jones (D-AL) in introducing the Cybersecurity Disclosure Act of 2019. Senator Collins is a member of the Senate Intelligence Committee.
The Cybersecurity Disclosure Act of 2019 would require publicly traded companies to include in their Securities and Exchange Commission (SEC) disclosures to investors information on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the company. The legislation does not require companies to take any actions other than to provide this disclosure.
“As cyberattacks become increasingly common, Congress must take action to better protect Americans from hackers attempting to steal sensitive data and personal information,” said Senator Collins. “This bipartisan bill strengthens our nation’s cybersecurity by requiring companies to disclose to the public the basic steps they are taking to prevent cyberattacks.”
Cyberattacks on companies and businesses continue to increase in their sophistication, exposing customers and data to risk. According to the Identity Theft Resource Center, the number of records containing personally identifiable information exposed by data breaches in the business industry grew from 181,630,520 in 2017 to 415,233,143 in 2018, and in the medical and health care industry from 5,302,846 in 2017 to 9,927,798 last year. Across all industries, the number of records containing personally identifiable information exposed by data breaches rose 126 percent, from 197,612,748 in 2017 to 446,515,334 in 2018.
Deloitte’s 11th Global risk management survey of financial institutions found that “sixty-seven percent of respondents named cybersecurity as one of the three risks that would increase the most in importance for their business over the next two years, far more than for any other risk. Yet, only about one-half of the respondents felt their institutions were extremely or very effective in managing this risk.” And according to the 2018-2019 National Association of Corporate Directors Public Company Governance Survey, only 52 percent of directors “are confident that they sufficiently understand cyber risks to provide effective cyber-risk oversight,” and 58 percent “believe their boards collectively know enough about cyber risk to provide effective oversight.”
The bipartisan Cybersecurity Disclosure Act of 2019 is supported by consumer advocates, investors, and securities law experts, including the North American Securities Administrators Association; the Council of Institutional Investors; the National Association of State Treasurers; the California Public Employees’ Retirement System; the Bipartisan Policy Center; Massachusetts Institute of Technology Professor Simon Johnson; Harvard Law Professor John Coates; Columbia Law Professor Jack Coffee; K&L Gates LLP; and the Consumer Federation of America.