New Bill May Require Companies to Address Directors’ Cybersecurity Expertise

January 5, 2016
Firm Publication

To date, publicly traded companies have not been required to nominate directors who are cybersecurity experts, though Commissioner Luis A. Aguilar of the Securities and Exchange Commission (SEC) has recommended strongly that companies at least consider nominating some directors with technological expertise or knowledge.1┬áLegislation recently introduced by Senators Jack Reed (D-RI) and Susan Collins (R-ME) aims to embrace Commissioner Aguilar’s suggestion. The Cybersecurity Disclosure Act of 2015 (S.2410) would require the SEC to issue rules requiring public companies to disclose in their annual reports or proxy statements whether any members of a company’s board of directors have any expertise or experience in cybersecurity and, if none, to describe what other steps have been taken to address cybersecurity when evaluating potential nominees.

This proposed legislation does not require companies to nominate directors with cybersecurity expertise or experience; however, it opens the door to potential shareholder scrutiny if companies decline to nominate such directors. Though it is uncertain whether this bill will pass, its introduction continues the growing trend of increased regulatory and legislative scrutiny regarding cybersecurity and how companies address cyber threats.

Bass, Berry & Sims will continue to monitor and provide updates as we track cybersecurity legislation. If you have questions regarding the potential effects of this legislation or any other cybersecurity concerns relating to your organization, please contact an attorney on our Data Security & Privacy Team.


1Luis A. Aguilar, Commissioner, SEC, “Cyber Risks and the Boardroom” Conference at the New York Stock Exchange (June 10, 2014) (“I commend the boards that are proactively addressing these new risks of the 21st Century. However, while enhancing board knowledge and board involvement is a good business practice, it is not necessarily a panacea to comprehensive cybersecurity oversight.”), available at http://www.sec.gov/News/Speech/Detail/Speech/1370542057946.