[Congressional Record Volume 161, Number 184 (Thursday, December 17, 2015)]
[Senate]
[Page S8795]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. REED (for himself and Ms. Collins):
  S. 2410. A bill to promote transparency in the oversight of 
cybersecurity risks at publicly traded companies; to the Committee on 
Banking, Housing, and Urban Affairs.
  Mr. REED. Mr. President, today I am pleased to be introducing the 
Cybersecurity Disclosure Act of 2015 with Senator Collins. In response 
to data breaches by various companies, which exposed the personal 
information of millions of customers, this bill asks each publicly 
traded company to include, in Securities and Exchange Commission, SEC, 
disclosures to investors, information on whether any member of the 
Board of Directors is a cybersecurity expert, and if not, why having 
this expertise on the Board of Directors is not necessary because of 
other cybersecurity steps taken by the publicly traded company. The 
legislation does not require companies to take any actions other than 
to provide this disclosure to its investors.
  Many investors may be surprised to learn that board directors who 
participated in National Association of Corporate Directors roundtable 
discussions on cybersecurity late in 2013 admitted that ``the lack of 
adequate knowledge of information technology risk has made it 
challenging for them to `effectively oversee management's cybersecurity 
activities.' Participating board members also suggested that `without 
sound knowledge of--or adequate sensitivity to--the topic, directors 
cannot easily draw the line between oversight and management,' and that 
once in the technical `weeds,' directors `find it difficult to assess 
the appropriate level of [the board's] involvement in risk management.' 
''
  Investors and customers deserve a clear understanding of whether 
publicly traded companies are not only prioritizing cybersecurity, but 
also have the capacity to protect investors and customers from cyber 
related attacks. This bill aims to provide a better understanding of 
these issues through improved SEC disclosure.
  While this legislation is a matter for consideration by the Banking 
Committee, of which I am a member, this bill is also informed by my 
service on the Armed Services Committee. It is through this dual 
Banking-Armed Services perspective that I see that our economic 
security is indeed a matter of our national security, and this is 
particularly the case as our economy becomes increasingly reliant on 
technology and the Internet.
  For example, James Clapper, Director of National Intelligence, 
recently appeared before the Armed Services Committee on September 29, 
2015, and testified that ``cyber threats to the U.S. national and 
economic security are increasing in frequency, scale, sophistication 
and severity of impact.'' He further said that ``[b]ecause of our heavy 
dependence on the Internet, nearly all information communication 
technologies and I.T. networks and systems will be perpetually at 
risk.''
  With mounting cyber threats and concerns over the capabilities of 
corporate directors, we all need to be more proactive in ensuring our 
Nation's cybersecurity before there are additional serious breaches. 
This legislation seeks to take one step towards that goal by 
encouraging publicly traded companies to be more transparent to its 
investors and customers on whether and how their Boards of Directors 
are prioritizing cybersecurity.
  I thank Harvard Law School Professor John Coates, MIT Professor Simon 
Johnson, Columbia Law School Professor John Coffee, and the Consumer 
Federation of America for their support, and I urge my colleagues to 
join Senator Collins and me in supporting this legislation.
                                 ______