”In recent years, there has been an increase in the frequency and sophistication of cybersecurity attacks on both businesses and governments. There has also been an increased interest in government regulation of cybersecurity to protect the public from data breaches. Recently, two American Senators – one Democrat and one Republican – introduced a bill that would require publicly traded companies to have a cybersecurity expert on their board, or explain why having such a board member is unnecessary.
On December 17, 2015, the cybersecurity Disclosure Act of 2015 (the “Bill“) was introduced in the United States Senate to promote transparency in the oversight of cybersecurity risks of publicly traded companies. This bipartisan bill would require reporting issuers, in their annual report or annual proxy statement submitted under the Securities Exchange Act of 1934 (United States), to either:
- disclose whether any member of the board of directors (or other governing body) of the publicly traded company has expertise or experience in cybersecurity and describe the nature of that expertise or experience; or
- if no member of the board of directors has cybersecurity expertise or experience, describe what other cybersecurity measures have been taken by the publicly traded company that has caused it to determine that cybersecurity expertise or experience is not required at the board level.
The Bill states that what constitutes “cybersecurity expertise or experience” is to be determined by the Securities and Exchange Commission and the National Institute of Standards and Technology.
The Bill seeks to implement a “comply or explain” regime. It does not impose any obligations on public companies with respect to cybersecurity beyond the above mentioned disclosure. Canadian issuers are already familiar with such regimes. For example, National Instrument 58-101 has long taken a “comply or explain” approach to the corporate governance practices of Canadian issuers, most recently with respect to the representation of women on the boards of directors and in executive officer positions…………..”