[BreachExchange] Feds might force your board to be cyber-aware

Audrey McNeil audrey at riskbasedsecurity.com
Tue Aug 2 19:53:58 EDT 2016


http://www.csoonline.com/article/3102985/security/feds-might-force-your-board-to-be-cyber-aware.html

Laws frequently change the way that we do business. Whether it's taxes,
regulations or some other requirement that we, as business people, are
obliged to abide by, compliance is essential to avoiding legal actions and
getting our jobs done without interference.

Sometimes laws might even change the structure of your business. There's
one pending in the US Senate right now, in fact, that hasn't gotten a lot
of exposure but could change the composition of your board of directors and
their responsibilities.

The Cybersecurity Disclosure Act of 2015 (S.2410 of the 114th Congress) is
a law proposed on Dec. 15, 2015 which states that if your business is
publicly held (shares of your stock are sold on the open exchanges such as
NYSE, NASDAQ and others) your official filings with the Securities Exchange
Commission (SEC) must state who on the board is a cybersecurity expert.
Moreover, if your board doesn't have a designated cybersecurity, you'll
have to explain why.

In government-speak it intends "To promote transparency in the oversight of
cybersecurity risks at publicly traded companies." In other words, the
government will be stepping in to make sure at least one of the directors
on your board can help the company protect itself from hackers, identity
theft, ransomware, etc. Whether you approve of the feds playing Big Brother
or not, it would be inadvisable to ignore the impact this law might have on
your company.

So does this law affect you? And if it does, what will you have to do to
comply? That leads us to a few key questions:

What does The Cybersecurity Disclosure Act of 2015 mean?

In short, this proposed law states that every publicly held company in the
United States - and there are thousands - must specify in their public
filings which member of their board of directors is their designated
cybersecurity expert (let's call this Director the "DCE"). If the board
does not have a DCE the company must explain why it feels that it does not
need one and what measures it is taking to protect itself from cybercrime
and cyberattacks.

(Note that every public company must have such a board although boards can
also be found in privately held companies at their option, unless they sell
shares of the company to investors or internal employees, in which case a
board is mandatory.)

The law is still in the pending/proposed stage but if it is passed, the SEC
will create and publish guidelines within a year of its approval specifying
what publicly traded companies must publish in their annual reports in
regards to cybersecurity threat prevention.

Who will be affected by this law?

This law is intended to create a mandate for public companies only.
However, any company that must report to investors, its own employees or,
perhaps most importantly, its customers, about the measures it takes to
protect the company's finances, operations, data and reputation should
consider this law as a guideline for what it should be providing.

If it passes - then what?

If you are a publicly traded company you will be legally compelled to have
someone on your board of directors who has expertise and/or experience in
cybersecurity (although "expertise" has yet to be defined). If no current
director has such expertise or experience it will be incumbent upon the
company to either add one to its board or have one of its directors become
sufficiently experienced, trained – or possibly certified – in
cybersecurity matters, threat prevention, fraud detection, identity
management and other forms of cybercrime.

Make no mistake about it - the SEC means business. In June 2014 Luis A.
Aguilar, commissioner at the US Securities and Exchange Commission (SEC)
said:

“Boards that choose to ignore, or minimize, the importance of cybersecurity
oversight responsibility, do so at their own peril."

So if you do intend to add someone to the board or train an existing
director to be a cybersecurity "expert" what does that mean?

This all begs the question: What qualifies someone as having "expertise" or
"experience" in cybersecurity? In typically cryptic government fashion the
proposed law doesn't say. It's a mystery so far as to what classifies
someone as an "expert" or having had experience in the subject matter. That
said, it's safe to assume that the following individuals would qualify as
"cybersecurity experts":

Anyone certified as a CISSP (Certified Information Security Systems
Professional) or higher by the International Information System Security
Certification Consortium (ISC2) or other recognized security standards body.
Anyone with experience in running an organization or enterprise where they
play an active role in day-to-day management of identity management or
cybercrime prevention activities.
Anyone holding a patent in identity management, fraud detection, threat
prevention or other cyber threat management software, processes or products.
Or, finally, anyone recognized by others as an expert in the subject matter
by virtue of authoring multiple articles, white papers or analyses that
have been peer reviewed, cited or quoted repeatedly by publicly recognized
media.

Will the law pass?

Who knows? It's impossible to tell until it comes up for a vote.
Nonetheless, given the regular and growing exposure of cyber threats in
public news sources, exposures of hacking, ransomware, data theft,
malicious damage, theft of personal information including Social Security
numbers, credit card numbers, login IDs and passwords and medical
information, it's reasonable to assume that the proposed law will have
broad exposure and support. Even if it doesn't pass in its current form
it's likely to generate enough buzz to force public company boards to make
some changes.

If the law doesn't pass are directors still at risk?

In short, yes. board directors, both collectively and individually, carry
some risk. Directors are part of a unique business ecosystem - the CEO
reports to the board and succession plans for the current CEO are the
board's responsibility and it is incumbent upon them to ensure that the
C-level executives in the company are doing whatever they need to do that
protects the enterprise from hacking.

Unfortunately most boards are ill-equipped to handle cybersecurity issues
at all and even less ready to affirm that they have a director who
qualifies as a designated cyber security expert (DCE).

In short, if your board does not have a director who can be its DCE, start
thinking about getting one now. Cyber attacks, theft, ransomware and other
breaches are already problematic for boards and are likely to get
significantly worse. It's essential to teach your directors to be
cyberaware… and to find someone who can qualify as an expert.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160802/74999ee6/attachment.html>


More information about the BreachExchange mailing list