Firms expect greater government cybersecurity oversight

The U.S. Senate recently proposed a cybersecurity disclosure bill that would require public companies to describe what cybersecurity expertise their boards have, or, if they don't have any, what steps the companies are taking to get some expertise onto their boards

capitol dome government
FEMA/Bill Koplitz

The U.S. Senate recently proposed a cybersecurity disclosure bill that would require public companies to describe what cybersecurity expertise their boards have, or, if they don't have any, what steps the companies are taking to get some expertise onto their boards.

"It seems like a pretty simple and straightforward bill," said Chris Wysopal, CTO and CISO at Veracode. "It doesn't have anything onerous except some disclosures about the board. To me, it has a chance of passing."

The bill fits neatly into some research that Veracode conducted with the New York Stock Exchange, in which a surprising 90 percent of corporate board members said that regulators should hold businesses liable for breaches if they were negligent with customer data or failed to have reasonable security in place.

"But there's no clear guidance from the SEC or the FTC about what is reasonable security practices," he said. "Boards want to see more clarity there."

[ ALSO ON CSO: Legislation requiring tech industry to report terrorist activity may be revived ]

Companies already have many reporting and compliance requirements that impact spending on cybersecurity. In fact, according to a survey released just this week by the Ponemon Institute, the need to comply with privacy or data security regulations was the single biggest driver of the use of encryption technology.

There are already numerous federal laws and individual state disclosure requirements, but as the breaches keep coming, security experts expect that the amount of oversight will only continue to increase.

Take the Securities and Exchange Commission, which has recently been stepping up its cybersecurity-related activity.

In 2011, the SEC issued guidance requiring publicly traded companies to report cybersecurity risks alongside other kinds of material risks.

Vikram Bhat, leader of the strategy and governance practice for Deloitte Cyberrisk Services

"For listed companies, the guidance that was provided in 2011 is still the main focus that most are still using as a baseline," said Peter Dugas, managing director of government affairs at FIS’ Center of Regulatory Intelligence at FIS Global

For example, companies need to report if there are aspects of their business or outsourced functions that create cybersecurity risks, if they've had security incidents that have had impact on the company, and even the potential risks of long-term undetected attacks.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022