Apr 20 2016

The Cybersecurity Disclosure Act of 2015 – US Companies Must Be Aware

While this Cybersecurity Bill (can be viewed at https://www.congress.gov/bill/114th-congress/senate-bill/2410/text) is geared toward publicly held entities, Legislative direction is clear: All Entities, both public and private need to shift their focus to encompass cyber as a core segment of their risk management plan.

On December 17, 2015, the Cybersecurity Disclosure Act of 2015 (the “Bill“) was introduced in the US Senate with the intention of heightening corporate awareness of cybersecurity and highlighting “cybersecurity transparency.” Although the Bill is not yet law (it is currently under review by the Committee on Banking, Housing and Urban Affairs) it serves as a clear indication that cybersecurity is being viewed as a critical segment of corporate risk management.

This Bill would require Companies to either:

  • Disclose whether any member of the governing body has expertise or experience in cybersecurity and describe the nature of that expertise or experience; or
  • If no member has cybersecurity expertise or experience, describe what other cybersecurity measures have been taken by the publicly traded company that has caused it to determine that cybersecurity expertise or experience is not required at the board or directorial level.

Every company is required either to comply or to explain. Having a strong IT department or trusted Managed Service Provider (MSP) isn’t enough. The Board and the Officers must have a strong grasp of the company’s risk tolerance and be updated regularly.

There are no plug and play efforts that will suffice as “other cybersecurity steps.” A comprehensive analysis, similar to the approach set forth in the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) will move your company in the intended direction. The c-suite cannot assume that IT has this covered because this is much bigger than an IT project. Executives need to be in the loop, and Layer 8 Security is here to help.

For some additional reading about this topic, check out http://www.lexology.com/library/detail.aspx?g=a529dc0b-21fa-4b35-8bd4-58edb611fe94

To discuss your company’s current cyber resiliency or to discuss your company’s current cyber governance measures, feel free to contact me at:


General Counsel/Governance and Compliance Adviser

800.530.9121 x 109