[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1731 Reported in House (RH)]

<DOC>





                                                 Union Calendar No. 518
116th CONGRESS
  2d Session
                                H. R. 1731

                          [Report No. 116-633]

To amend the Securities Exchange Act of 1934 to promote transparency in 
   the oversight of cybersecurity risks at publicly traded companies.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             March 13, 2019

    Mr. Himes (for himself, Mr. Heck, and Mr. Meeks) introduced the 
   following bill; which was referred to the Committee on Financial 
                                Services

                            December 8, 2020

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
 [For text of introduced bill, see copy of bill as introduced on March 
                               13, 2019]


_______________________________________________________________________

                                 A BILL


 
To amend the Securities Exchange Act of 1934 to promote transparency in 
   the oversight of cybersecurity risks at publicly traded companies.


 


    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cybersecurity Disclosure Act of 
2019''.

SEC. 2. CYBERSECURITY TRANSPARENCY.

    The Securities Exchange Act of 1934 (15 U.S.C. 78a et seq.) is 
amended by inserting after section 14B (15 U.S.C. 78n-2) the following:

``SEC. 14C. CYBERSECURITY TRANSPARENCY.

    ``(a) Definitions.--In this section--
            ``(1) the term `cybersecurity' means any action, step, or 
        measure to detect, prevent, deter, mitigate, or address any 
        cybersecurity threat or any potential cybersecurity threat;
            ``(2) the term `cybersecurity threat'--
                    ``(A) means an action, not protected by the First 
                Amendment to the Constitution of the United States, on 
                or through an information system that may result in an 
                unauthorized effort to adversely impact the security, 
                availability, confidentiality, or integrity of an 
                information system or information that is stored on, 
                processed by, or transiting an information system; and
                    ``(B) does not include any action that solely 
                involves a violation of a consumer term of service or a 
                consumer licensing agreement;
            ``(3) the term `information system'--
                    ``(A) has the meaning given the term in section 
                3502 of title 44, United States Code; and
                    ``(B) includes industrial control systems, such as 
                supervisory control and data acquisition systems, 
                distributed control systems, and programmable logic 
                controllers;
            ``(4) the term `NIST' means the National Institute of 
        Standards and Technology; and
            ``(5) the term `reporting company' means any company that 
        is an issuer--
                    ``(A) the securities of which are registered under 
                section 12; or
                    ``(B) that is required to file reports under 
                section 15(d).
    ``(b) Requirement to Issue Rules.--Not later than 360 days after 
the date of enactment of this section, the Commission shall issue final 
rules to require each reporting company, in the annual report of the 
reporting company submitted under section 13 or section 15(d) or in the 
annual proxy statement of the reporting company submitted under section 
14(a)--
            ``(1) to disclose whether any member of the governing body, 
        such as the board of directors or general partner, of the 
        reporting company has expertise or experience in cybersecurity 
        and in such detail as necessary to fully describe the nature of 
        the expertise or experience; and
            ``(2) if no member of the governing body of the reporting 
        company has expertise or experience in cybersecurity, to 
        describe what other aspects of the reporting company's 
        cybersecurity were taken into account by any person, such as an 
        official serving on a nominating committee, that is responsible 
        for identifying and evaluating nominees for membership to the 
        governing body.
    ``(c) Cybersecurity Expertise or Experience.--For purposes of 
subsection (b), the Commission, in consultation with NIST, shall define 
what constitutes expertise or experience in cybersecurity using 
commonly defined roles, specialties, knowledge, skills, and abilities, 
such as those provided in NIST Special Publication 800-181, titled 
`National Initiative for Cybersecurity Education (NICE) Cybersecurity 
Workforce Framework', or any successor thereto.''.
                                                 Union Calendar No. 518

116th CONGRESS

  2d Session

                               H. R. 1731

                          [Report No. 116-633]

_______________________________________________________________________

                                 A BILL

To amend the Securities Exchange Act of 1934 to promote transparency in 
   the oversight of cybersecurity risks at publicly traded companies.

_______________________________________________________________________

                            December 8, 2020

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed