WASHINGTON, D.C. – With cyberattacks on the rise within the private sector that put American networks at risk, U.S. Senators Susan Collins (R-Maine) and Angus King (I-Maine), the Co-Chair of the Cyberspace Solarium Commission, joined a bipartisan group of their colleagues in urging the Securities and Exchange Commission (SEC) to increase transparency requirements for companies. The Senators sent a letter to SEC Chair Gary Gensler urging him to propose rules regarding cybersecurity disclosures and to require publicly traded companies to disclose whether they have cybersecurity expertise on their boards of directors. Senators Collins and King both cosponsored the Cybersecurity Disclosure Act to improve the disclosure requirements for public companies and help prevent future cyberattacks.
“We write to urge the Securities and Exchange Commission to propose rules regarding cybersecurity disclosures and reporting. We further urge you to coordinate the formulation of these rules with the National Cyber Director,” wrote the Senators. “As you know, cybersecurity is among our most significant national security and economic challenges. Daily interactions increasingly take place in cyberspace, leading to more persistent and complex cybersecurity threats. Costs of cyberattacks have also been on the rise.”
“One effective regulatory approach would be asking public companies to disclose whether a cybersecurity expert is on the board of directors, and if not, why not. We have sponsored bipartisan legislation called the Cybersecurity Disclosure Act to require companies to provide this disclosure to investors,” continued the Senators. “Boards of directors would be encouraged to develop approaches that address their own needs. The goal is to encourage directors to play a more effective role in cybersecurity risk oversight.”
“Public companies and investment managers should pay attention to threats before they are realized. This is a better approach than scrambling to figure out what went wrong after investors have been harmed,” concluded the Senators. “America’s economic prosperity is linked to strong cybersecurity defenses in the private sector. The alternative unfortunately puts investors’ hard-earned savings and pensions at risk. We are encouraged that the SEC intends to address cybersecurity threats using a wide variety of tools, from raising the bar on risk management to clarifying when to report a serious breach that has already occurred.”
Improving cybersecurity has been a longtime priority for Senator Collins, a member of the Senate Select Committee on Intelligence. In 2012, she introduced a bill with then-Senator Joe Lieberman (I-CT) to help secure critical infrastructure and encourage information sharing, and she has continued to push the federal government and companies to protect their networks. Following the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies last year, Senator Collins joined Senators Gary Peters (D-MI), Rob Portman (R-OH), and Mark Warner (D-VA) in introducing an amendment to the National Defense Authorization Act to require critical infrastructure owners and operators and civilian federal agencies to report cyber intrusions within 24 hours of their discovery. They reintroduced the measure as a stand-alone bill earlier this week.
As a member of the Senate Armed Services Committee, the Senate Select Committee on Intelligence, and co-chair of the Cyberspace Solarium Commission (CSC), Senator King is recognized as one of Congress’s leading experts on cyberdefense and a strong advocate for a forward-thinking cyberstrategy that emphasizes layered cyberdeterrence. Since it officially launched in April 2019, dozens of CSC recommendations have been enacted into law. As Co-Chair of the CSC, Senator King has specifically championed increased cybersecurity reporting, and pushed for new critical infrastructure reporting standards in the 2022 NDAA.
Senators Collins and King were joined on the letter by Senators Jack Reed (D-RI), Mark Warner (D-VA), Catherine Cortez Masto (D-NV), Kevin Cramer (R-ND), and Ron Wyden (D-OR).
Full text of the letter can be found HERE and below.
+++
Dear Chair Gensler:
We write to urge the Securities and Exchange Commission to propose rules regarding cybersecurity disclosures and reporting. We further urge you to coordinate the formulation of these rules with the National Cyber Director.
As you know, cybersecurity is among our most significant national security and economic challenges. Daily interactions increasingly take place in cyberspace, leading to more persistent and complex cybersecurity threats. Costs of cyberattacks have also been on the rise.
Investors often bear these costs because a serious cyberattack can permanently affect a company’s valuation and profitability.
During your most recent testimony before the Senate Banking Committee, you stated that you have asked the SEC staff to develop proposals on cybersecurity disclosures and incident reporting. You reiterated in public remarks last month that companies and investors would benefit if information on cybersecurity risk “were presented in a consistent, comparable, and decision-useful manner.”
We applaud your efforts to promote transparency and oversight of cybersecurity risks at public companies and at financial sector registrants like investment funds, investment advisers, and broker-dealers. Investors deserve a clear understanding of whether companies and investment managers are prioritizing cybersecurity. They also have a right to prompt notification of serious cybersecurity incidents. More information will enable investors to hold companies and investment managers accountable.
One effective regulatory approach would be asking public companies to disclose whether a cybersecurity expert is on the board of directors, and if not, why not. We have sponsored bipartisan legislation called the Cybersecurity Disclosure Act to require companies to provide this disclosure to investors. The bill does not tell companies how to deal with cybersecurity threats. How a company chooses to address cybersecurity risks would remain its own decision. Boards of directors would be encouraged to develop approaches that address their own needs. The goal is to encourage directors to play a more effective role in cybersecurity risk oversight.
Public companies and investment managers should pay attention to threats before they are realized. This is a better approach than scrambling to figure out what went wrong after investors have been harmed. America’s economic prosperity is linked to strong cybersecurity defenses in the private sector. The alternative unfortunately puts investors’ hard-earned savings and pensions at risk. We are encouraged that the SEC intends to address cybersecurity threats using a wide variety of tools, from raising the bar on risk management to clarifying when to report a serious breach that has already occurred.
Thank you for your attention to this important matter. Please keep our staffs informed of the SEC’s progress on improving cybersecurity disclosures and reporting by public companies and financial sector registrants.
###