A bipartisan group of senators is urging the Securities and Exchange Commission (SEC) to increase transparency in cybersecurity incident reporting requirements for public companies overseen by the SEC.
In a Feb. 8 letter, Sens. Jack Reed, D-R.I., Angus King, I-Maine, Susan Collins, R-Maine, Mark Warner, D-Va., Kevin Cramer, R-N.D., Catherine Cortez Masto, D-Nev., and Ron Wyden, D-Ore., suggested that SEC Chairman Gary Gensler consider a range of updates to rules governing public company and investment company cybersecurity reporting.
The lawmakers urged that Gensler coordinate any new rules with National Cyber Director Chris Inglis.
While the senators did not explicitly tie their request to the aims of current Senate legislation
legislation that would require timely cyber incident reporting to Federal authorities by critical infrastructure providers, they touched on similar language in their letter.
“Investors deserve a clear understanding of whether companies and investment managers are prioritizing cybersecurity,” the senators said. “They also have a right to prompt notification of serious cybersecurity incidents.”
The lawmakers also suggested that the SEC update its rules to require public companies to disclose whether a cybersecurity expert is on a company’s board of directors. That suggestion
aligns directly with bipartisan legislation the senators introduced last year.
The Cybersecurity Disclosure Act of 2021 would amend the Securities Exchange Act of 1934 to promote transparency in the oversight of cybersecurity risks at publicly traded companies by requiring disclosure on an annual basis of whether boards of directors have experience in cybersecurity.
“America’s economic prosperity is linked to strong cybersecurity defenses in the private sector. The alternative, unfortunately, puts investors’ hard-earned savings and pensions at risk,” the senators said.
They emphasized that their bill does not instruct public companies on how to deal with cyber threats or incidents, and said how a company chooses to address cybersecurity threats would remain the company’s own decision.
“Boards of directors would be encouraged to develop approaches that address their own needs. The goal is to encourage directors to play a more effective role in cybersecurity risk oversight,” the senators said. “This is a better approach than scrambling to figure out what went wrong after investors have been harmed.”