
	

114 HR 5069 IH: Cybersecurity Systems and Risks Reporting Act
U.S. House of Representatives
2016-04-26
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		I
		114th CONGRESS
		2d Session
		H. R. 5069
		IN THE HOUSE OF REPRESENTATIVES
		
			April 26, 2016
			Mr. McDermott introduced the following bill; which was referred to the Committee on Financial Services
		
		A BILL
		To amend the Sarbanes-Oxley Act of 2002 to protect investors by expanding the mandated internal
			 controls reports and disclosures to include cybersecurity systems and
			 risks of publicly traded companies.
	
	
 1.Short titleThis Act may be cited as the Cybersecurity Systems and Risks Reporting Act. 2.Cybersecurity and information system requirements (a)DefinitionsSection 2(a) of the Sarbanes-Oxley Act of 2002 (15 U.S.C. 7201(a)) is amended—
 (1)in paragraph (2), by inserting after financial statements the following: and information systems; (2)in paragraph (3)(A), by striking and financial and inserting , financial, and cybersecurity systems;
 (3)in paragraph (10)(B), by inserting after quality control policies and procedures, the following: cybersecurity systems standards and practices,; and (4)by adding at the end the following:
					
 (18)Information systemThe term information system means a set of activities, involving people, processes, data, or technology, which enable the issuer to obtain, generate, use, and communicate transactions and information to maintain accountability and measure and review the issuer’s performance or progress towards achievement of objectives.
 (19)Cybersecurity systemThe term cybersecurity system means a set of activities or state, involving people, processes, data or technology, whereby the protection of an information system of the issuer is secured from, or defended against, damage, unauthorized use or modification, misdirection, disruption or exploitation.
 (20)Cybersecurity riskThe term cybersecurity risk means a significant vulnerability to, or a significant deficiency in, the security and defense activities of a cybersecurity system..
 (b)Corporate responsibilitySection 302 of the Sarbanes-Oxley Act of 2002 (15 U.S.C. 7241) is amended— (1)in the heading of such section, by inserting after REPORTS the following: AND INFORMATION SYSTEMS; and
 (2)in subsection (a)— (A)by striking and the principal financial officer or officers, and inserting , the principal financial officer or officers, and the principal cybersecurity systems officer or officers;
 (B)in paragraph (4), by striking internal controls each place such term appears and inserting internal controls and cybersecurity systems; (C)in paragraph (5)—
 (i)in subparagraph (A)— (I)by inserting after operation of internal controls the following: and cybersecurity systems; and
 (II)by inserting before the semicolon the following: and any significant cybersecurity risks in issuer's information systems; and (ii)in subparagraph (B), by inserting before the semicolon the following: , cybersecurity systems, or information systems; and
 (D)in paragraph (6)— (i)by striking internal controls each place such term appears and inserting internal controls, cybersecurity systems, or information systems; and
 (ii)by striking significant deficiencies and inserting cybersecurity risks, significant deficiencies,. (c)Management assessmentSection 404 of the Sarbanes-Oxley Act of 2002 (15 U.S.C. 7262) is amended—
 (1)in the heading of such section, by inserting after CONTROLS the following: AND INFORMATION SYSTEMS; (2)in subsection (a)—
 (A)by inserting after contain an internal control the following: and information systems; (B)in paragraph (1), by striking an adequate internal control structure and procedures for financial reporting and inserting adequate internal control and cybersecurity systems structures and procedures for financial and information systems reporting; and
 (C)by amending paragraph (2) to read as follows:  (2)contain assessments, as of the end of the most recent fiscal year of the issuer, of the effectiveness of—
 (A)the internal control structure and procedures of the issuer for financial reporting; and (B)the cybersecurity systems structure of the issuer.; and
 (3)in subsection (b)— (A)in the heading of such subsection, by inserting after Internal Control the following; and Cybersecurity Systems; and
 (B)by striking internal control assessment and inserting internal control and cybersecurity system structure assessments. (d)Disclosure of expertSection 407 of the Sarbanes-Oxley Act of 2002 (15 U.S.C. 7265) is amended—
 (1)in the heading of such section, by striking EXPERT and inserting AND CYBERSECURITY SYSTEMS EXPERTS; (2)in subsection (a)—
 (A)in the heading of such subsection, by striking Expert and inserting and Cybersecurity Experts; and (B)by striking , as such term is defined by the Commission and inserting and at least 1 member who is a cybersecurity systems expert, as such terms are defined by the Commission in consultation with the Secretary of Homeland Security and the Secretary of Commerce; and
 (3)by striking subsection (c) and inserting the following:  (c)Considerations with respect to cybersecurity expertsIn defining the term cybersecurity expert for purposes of subsection (a), the Commission shall, in consultation with the Secretary of Homeland Security and the Secretary of Commerce, consider whether a person has, through education or experience as an information technology officer or information systems security officer, or from a position involving the performance of similar functions—
 (1)an understanding of generally accepted principles, practices, and law relating to computer security, computer network security, and data security and privacy;
 (2)experience in— (A)the preparation of information systems audits for cybersecurity risk discovery; and
 (B)the maintenance, implementation, and monitoring of information systems and their cybersecurity systems;
 (3)experience with information systems aspects of internal accounting controls; and (4)an understanding of audit committee functions..
 (e)Enhanced reviewSection 408 of the Sarbanes-Oxley Act of 2002 (15 U.S.C. 7265) is amended— (1)in subsection (a), by striking financial statement and inserting financial, information systems, and cybersecurity systems statements; and
 (2)in subsection (b)— (A)in paragraph (5), by striking and at the end;
 (B)by redesignating paragraph (6) as paragraph (7); and (C)by inserting after paragraph (5) the following:
						
 (6)issuers that have issued cybersecurity risks disclosures; and. (f)Clerical amendmentThe table of contents in section 1(b) of the Sarbanes-Oxley Act of 2002 is amended—
 (1)in the item relating to section 302, by inserting after REPORTS the following: AND INFORMATION SYSTEMS; (2)in the item relating to section 404, by inserting after CONTROLS the following: AND INFORMATION SYSTEMS; and
 (3)in the item relating to section 407, by striking EXPERT and inserting AND CYBERSECURITY SYSTEMS EXPERTS.  