In a rarely glorified show of bipartisan support, the Senate recently introduced a bill to enhance Cybersecurity focus for public companies. U.S. Senators Jack Reed (D-RI), Susan Collins (R-ME), Mark Warner (D-VA), John Kennedy (R-LA), and Doug Jones (D-AL) introduced S. 592 on the Senate floor in March.
S. 592, or The Cybersecurity Disclosure Act of 2019, officially introduces the idea of annually disclosing how a public company is addressing cybersecurity. This would require the issuer to have a cybersecurity expert within the governing body (i.e. the board of directors) or make steps to getting expertise for the governance of the company. The definition of “cybersecurity expertise” or “cybersecurity experience” is derived from existing publications of National Institute of Standards and Technology (NIST) such as Special Publication 800-181.
SP 800-181 is the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework that is intended to
serve as a fundamental reference resource for describing and sharing information about cybersecurity work and the knowledge, skills, and abilities (KSAs) needed to complete tasks that can strengthen the cybersecurity posture of an organization.
The announcement cited the Identity Theft Resource Center’s study that provided a sobering statistic of an increase of 126% for records exposed by data breaches from 2017 to 2018.
The Bill is currently referred to the House Committee on Financial Services under a companion bill of the same name by congressman Jim Himes (D-CT). For public entities, this will be one to keep an eye on as this is an amendment to the Securities Exchange Act of 1934.