Maine Sens. Susan Collins and Angus King have added their names to a letter this week calling on the Securities and Exchange Commission to introduce new cybersecurity reporting rules for publicly traded companies.
This week, the SEC rolled out the first of what is expected to be a number of new proposed cybersecurity rules over the next year, voting 3-1 to require investment advisors and investment companies to report cybersecurity incidents and major breaches to the agency, adopt and implement written cybersecurity policies that are “reasonably designed” to address risks and document any breaches or incidents they have suffered in the past two years.
“I think such reforms could help reduce the risk for these registrants posed by significant cybersecurity incidents,” SEC Chair Gary Gensler said of the proposal in a Feb. 9 announcement. “I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries’ cyber risks.”
On Wednesday, five senators (Jack Reed, D-R.I., Mark Warner, D-Va., Ron Wyden, D-Ore., Catherine Corte Masto, D-Nev., and Kevin Cramer, R-N.D.) wrote to the SEC praising the move but calling for them to go further and institute new rules requiring publicly traded companies to disclose to investors whether they have a cybersecurity expert on their board of directors and if not, provide an explanation for why. The proposal is also part of a bill, the Cybersecurity Disclosure Act, that is sponsored or co-sponsored by all of the (now seven) signatories on the letter.
The describe the purpose of the bill as encouraging “directors to play a more effective role in cybersecurity risk oversight.”
“The bill does not tell companies how to deal with cybersecurity threats. How a company chooses to address cybersecurity risks would remain its own decision,” the senators wrote. “Boards of directors would be encouraged to develop approaches that address their own needs.”
They also cast the idea as a way to force public companies to be more proactive about addressing latent cybersecurity risks and put effective policies in place ahead of time instead of waiting until a breach or incident forces their hand.
“Public companies and investment managers should pay attention to threats before they are realized. This is a better approach than scrambling to figure out what went wrong after investors have been harmed,” the senators wrote.