Congressional Record, Volume 163 Issue 39 (Tuesday, March 7, 2017)

[Congressional Record Volume 163, Number 39 (Tuesday, March 7, 2017)]
[Senate]
[Pages S1641-S1642]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. REED (for himself, Ms. Collins, and Mr. Warner):
  S. 536. A bill to promote transparency in the oversight of 
cybersecurity risks at publicly traded companies; to the Committee on 
Banking, Housing, and Urban Affairs.
  Mr. REED. Mr. President, today I am reintroducing the Cybersecurity 
Disclosure Act of 2017 along with two members of the Select Committee 
on Intelligence, Senator Collins, and the ranking member, Senator 
Warner. In response to data breaches of various companies that exposed 
the personal information of millions of customers, our legislation asks 
each publicly traded company to include--in Securities and Exchange 
Commission, SEC, disclosures to investors--information on whether any 
member of the board of directors is a cybersecurity expert, and if why 
having this expertise on the board of directors is not necessary 
because of other cyber security steps taken by the publicly traded 
company. To be clear, the legislation does not require companies to 
take any actions other than to provide this disclosure to its 
investors.
  Many investors may be surprised to learn that board directors who 
participated in the National Association of Corporate Directors, NACD, 
roundtable discussions on cyber security late in 2013 admitted that 
``the lack of adequate knowledge of information technology risk has 
made it challenging for them to `effectively oversee management's 
cybersecurity activities.' '' More recently, in Deloitte's 10th Global 
Risk Management Survey of Financial Services Institutions, published 
this month, 42 percent of respondents considered their institution to 
be less effective in managing cybersecurity. And according to the 2016-
2017 NACD Public Company Governance Survey, ``fifty-nine percent of 
respondents reported that they find it challenging to oversee cyber 
risk, and only 19 percent of respondents said that their boards possess 
a high level of knowledge about cybersecurity.'' Indeed, Yahoo in its 
most recent annual report, which was filed with the SEC last week, 
disclosed that ``the Independent Committee found that failures in 
communication, management, inquiry and internal reporting contributed 
to the lack of proper comprehension and handling of the 2014 Security 
Incident. The Independent Committee also found that the Audit and 
Finance Committee and the full board were not adequately informed of 
the full severity, risks, and potential impacts of the 2014 Security 
Incident and related matters.'' The 2014 Security Incident here refers 
to the fact that ``a copy of certain user account information for 
approximately 500 million user accounts was stolen from Yahoo's network 
in late 2014.'' This is particularly troubling given that data breaches 
are on the rise. Indeed, 2016 was a recordbreaking year for data 
breaches, which increased 40 percent from the prior year to 1,093 
breaches according to the Identity Theft Resource Center.
  Investors and customers deserve a clear understanding of whether 
publicly traded companies are prioritizing cyber security and have the 
capacity to protect investors and customers from cyber-related attacks. 
Our legislation aims to provide a better understanding of these issues 
through improved SEC disclosure.
  While this legislation is a matter for consideration by the Banking 
Committee, of which I am a member, this bill is also informed by my 
service on the Armed Services Committee and the Select Committee on 
Intelligence. It is through this Banking-Armed Services-Intelligence 
perspective that I see that our economic security is indeed a matter of 
our national security, and this is particularly the case as our economy 
becomes increasingly reliant on technology and the Internet.
  For example, when he was Director of National Intelligence, James 
Clapper, appeared before the Armed Services Committee in 2015 and 
testified that ``cyber threats to the U.S. national and economic 
security are increasing in frequency, scale, sophistication and 
severity of impact.'' He further said that ``[b]ecause of our heavy 
dependence on the Internet, nearly all information communication 
technologies and I.T. networks and systems will be perpetually at 
risk.''
  Indeed, retired Army GEN Keith Alexander, who is the former commander 
of the United States Cyber Command and former Director of the National 
Security Agency, appeared before the Armed Services Committee this 
month and stated that ``while the primary responsibility of government 
is to defend the nation, the private sector also shares responsibility 
in creating the partnership necessary to make the defense of our nation 
possible. Neither the government nor the private sector can capably 
protect their systems and networks without extensive and close 
cooperation.''
  With mounting cyber threats and concerns over the capabilities of 
corporate directors, we all need to be more proactive in ensuring our 
Nation's cyber security before there are additional serious breaches. 
This legislation seeks to take one step toward that

[[Page S1642]]

goal by encouraging publicly traded companies to be more transparent to 
their investors and customers on whether and how their boards of 
directors are prioritizing cyber security.
  I thank Harvard Law School professor John Coates, MIT professor Simon 
Johnson, Columbia Law School professor John Coffee, and the Consumer 
Federation of America for their support, and I urge my colleagues to 
join Senator Collins, Senator Warner, and me in supporting this 
legislation.
                                 ______