[Congressional Record Volume 165, Number 37 (Thursday, February 28, 2019)]
[Senate]
[Pages S1595-S1596]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. REED (for himself, Ms. Collins, Mr. Warner, Mr. Kennedy, 
        and Mr. Jones):
  S. 592. A bill to amend the Securities and Exchange Act of 1934 to 
promote transparency in the oversight of cybersecurity risks at 
publicly traded companies; to the Committee on Banking, Housing, and 
Urban Affairs.

[[Page S1596]]

  

  Mr. REED. Mr. President, today I am reintroducing the Cybersecurity 
Disclosure Act along with two members of the Select Committee on 
Intelligence, Senator Collins, and the ranking member, Senator Warner, 
in addition to Senator Kennedy and Senator Jones, who also serve with 
me on the Senate Banking Committee. In response to data breaches of 
various companies that exposed the personal information of millions of 
customers, our legislation asks each publicly traded company to 
include--in Securities and Exchange Commission, SEC, disclosures to 
investors--information on whether any member of the board of directors 
is a cybersecurity expert, and if not, why having this expertise on the 
board of directors is not necessary because of other cybersecurity 
steps taken by the publicly traded company. To be clear, the 
legislation does not require companies to take any actions other than 
to provide this disclosure to its investors.
  In Deloitte's 11th Global Risk Management Survey of financial 
services institutions, published last month, ``sixty-seven percent of 
respondents named cybersecurity as one of the three risks that would 
increase the most in importance for their business over the next two 
years, far more than for any other risk. Yet, only about one-half of 
the respondents felt their institutions were extremely or very 
effective in managing this risk.'' According to the 2018-2019 National 
Association of Corporate Directors Public Company Governance Survey, 
only 52 percent of directors ``are confident that they sufficiently 
understand cyber risks to provide effective cyber-risk oversight,'' and 
58 percent ``believe their boards collectively know enough about cyber 
risk to provide effective oversight.'' Indeed, Yahoo, in its 2016 
annual report, disclosed, ``the Independent Committee found that 
failures in communication, management, inquiry and internal reporting 
contributed to the lack of proper comprehension and handling of the 
2014 Security Incident. The Independent Committee also found that the 
Audit and Finance Committee and the full board were not adequately 
informed of the full severity, risks, and potential impacts of the 2014 
Security Incident and related matters.'' The 2014 Security Incident 
here refers to the fact that ``a copy of certain user account 
information for approximately 500 million user accounts was stolen from 
Yahoo's network in late 2014.''
  This is particularly troubling given that data breaches expose more 
and more records containing personally identifiable information. 
Indeed, according to the Identity Theft Resource Center, the number of 
these types of records exposed by data breaches in the business 
industry grew from 181,630,520 in 2017 to 415,233,143 in 2018 and in 
the medical and healthcare industry from 5,302,846 in 2017 to 9,927,798 
last year. Across all industries, the number of records containing 
personally identifiable information exposed by data breaches rose 126 
percent, from 197,612,748 in 2017 to 446,515,334 in 2018.
  Investors and customers deserve a clear understanding of whether 
publicly traded companies are prioritizing cybersecurity and have the 
capacity to protect investors and customers from cyber related attacks. 
Our legislation aims to provide a better understanding of these issues 
through improved SEC disclosure.
  In testimony given to the Senate Banking Committee last June, Harvard 
Law Professor John Coates, who also practiced securities law as a 
partner at Wachtell, Lipton, Rosen & Katz, expressed support for our 
legislation by stating that ``[the Cybersecurity Disclosure Act] is 
well designed. It does not attempt to second-guess SEC guidance and 
rules regarding disclosures generally, or even as to cyber-risk 
overall. The bill simply asks publicly traded companies to disclose 
whether a cybersecurity expert is on the board of directors, and if 
not, why one is not necessary. To be clear, the bill does not require 
every publicly traded company to have a cybersecurity expert on its 
board. Publicly traded companies will still decide for themselves how 
to tailor their resources to their cybersecurity needs and disclose 
what they have decided. Some companies may choose to hire outside cyber 
consultants. Some may choose to boost cybersecurity expertise on staff. 
And some may decide to have a cybersecurity expert on the board of 
directors. The disclosure required would typically amount to a sentence 
or two.''
  While this legislation is a matter for consideration by the Banking 
Committee, of which I am a member, this bill is also informed by my 
service on the Armed Services Committee and the Select Committee on 
Intelligence. Through this Banking-Armed Services-Intelligence 
perspective, I see that our economic security is indeed a matter of our 
national security, and this is particularly the case as our economy 
becomes ever more dependent on technology and the internet.
  Indeed, General Darren W. McDew, the former commander of U.S. 
Transportation Command, which is charged with moving our military 
assets to meet our national security objectives in partnership with the 
private sector, offered several sobering assessments during an April 
10, 2018 hearing before the Senate Armed Services Committee. He stated 
that ``cyber is the number one threat to U.S. Transportation Command, 
but I believe it is the number one threat to the nation . . . in our 
headquarters, cyber is the commander's business, but not everywhere 
across our country is cyber a CEO's business . . . in our cyber 
roundtables, which is one of the things we are doing to raise our level 
of awareness, some of the CEO's chief security officers cannot even get 
to the see the board, they cannot even . . . see the CEO. So that is a 
problem.''
  In my view, this is a real problem because, if we are attacked, the 
first strike will likely not be a physical one against the military but 
a cyber strike against the infrastructure of movement, logistics, and 
other critical assets in the civilian space.
  With growing cyber threats, we all need to be more proactive in 
ensuring our Nation's cybersecurity before there are additional serious 
breaches. This legislation seeks to take one step towards that goal by 
encouraging publicly traded companies to be more transparent to their 
investors and customers on whether and how their boards of directors 
and senior management are prioritizing cybersecurity.
  I thank the bill's supporters, including the North American 
Securities Administrators Association, the Council of Institutional 
Investors, the National Association of State Treasurers, the California 
Public Employees' Retirement System, the Bipartisan Policy Center, MIT 
Professor Simon Johnson, Columbia Law Professor Jack Coffee, Harvard 
Law Professor John Coates, K&L Gates LLP, and the Consumer Federation 
of America, and I urge my colleagues to join Senator Collins, Senator 
Warner, Senator Kennedy, Senator Jones, and me in supporting this 
legislation.
                                 ______