Issue link: https://digital.shearman.com/i/1162884
Shearman & Sterling LLP 32 | Cybersecurity – Preparing for the Changing Landscape Government Regulation and Oversight: It is Only Getting Started Late in 2018, the President formed the Cybersecurity and Infrastructure Security Agency (CISA), a new federal agency within the Department of Homeland Security, which is focused on coordination of cybersecurity across all levels of government, and is charged with enhancing the security and resilience of United States cybersecurity, emergency communications and critical infrastructure. CISA's attention has been directed toward critical infrastructure, global technology supply chain and election security and integrity, which demonstrates a recognition of the need for centralized coordination of these issues within government, the need for specialized expertise and knowledge and the importance of a dedicated focus on cybersecurity issues on a continuous basis. Interestingly, these are all concepts that companies and their boards of directors should be considering as they develop their own cybersecurity and data protection strategies. The federal government's focus on cybersecurity may provide the impetus for direct engagement with public companies to better understand vulnerabilities, preparedness and responsiveness and to introduce a more robust regulatory framework to protect personal information. Across the United States, consumer protection statutes already in effect require companies to take certain steps when consumer data or personal information is compromised. When personal information is not the subject of a cybersecurity incident, however, companies may search for someone to notify. Currently, companies that are not regulated by a federal or state department or agency have no defined "place" to report a cybersecurity incident. For many public companies, their only "regulator" is the SEC, and the SEC is not really equipped, nor does it have the mandate, to receive general reports of cybersecurity events. Companies may also turn to the local Federal Bureau of Investigation (FBI) office, often with unsatisfying results due to the sheer number of notifications received and the lack of resources deployed. It is possible that CISA could establish a more organized way to notify and share information regarding cybersecurity incidents and threats to enable a governmental body to monitor threats and incidents to identify patterns, risks and culprits. In addition, Congress — both the House of Representatives and the Senate — are also getting involved. Congress has actively considered legislation across a range of topics related to public company oversight of cybersecurity matters. One recent bill gaining traction in Congress, and of particular interest to public companies, would establish a new disclosure rule requiring public companies to disclose whether or not the board has a director who qualifies as a cybersecurity expert and, if there is no such director, the company's cybersecurity measures that render such a cybersecurity expert unnecessary. To be clear, this legislation does not mandate any action with respect to changing the composition of the board. Congress understands that such demands often face challenges. On its face, it is a disclosure requirement that demands companies disclose and explain their decision- making related to the current composition of the board. The "explain" part, however, will force boards to think carefully before affirmatively stating that the company does not need a cybersecurity expert on the board, particularly when peer companies are taking a different approach. While this legislation is a long way from becoming a proxy statement disclosure requirement, it highlights that Congress is pressing public companies to think critically about how cybersecurity risks are managed and who is responsible for them. These actions may also fuel discussions with institutional investors and others in ordinary course engagement efforts. As nominating committee chairs engage with investors about board composition and refreshment, questions will inevitably be raised as to whether cybersecurity expertise should be a skill set necessary for the board.