Senator Jay Rockefeller (D., West Virginia), the most vocal proponent of cybersecurity legislation, has renewed his focus on cybersecurity legislation. He has sponsored previous cybersecurity-related legislation, but has been unable to implement any meaningful legislation in this area. His prior sponsorship of the proposed Cybersecurity Act of 2012 initially seemed to draw support in the Senate, but it encountered strong opposition from the United States Chamber of Commerce. The Chamber strongly criticized this proposed legislation and went so far as to state that the Chamber would include senators’ votes on this proposed legislation in its annual “How They Voted” survey. In any case, this proposed legislation was not passed in 2012.
One of the strongest aspects of the Chamber’s resistance to this proposed legislation was the assertion that American companies would be strongly opposed to the legislation. To confirm the positions of American companies on this issue, Senator Rockefeller sent a letter to the CEOs of all Fortune 500 companies on September 19, 2012. The Senator’s office has now received responses to this letter and the majority staff summarized them in a January 28, 2013 Memorandum.
Approximately 300 companies responded to the Senator’s letter. The companies that responded were predominantly larger members of the Fortune 500. According to the Staff Memorandum, the overall responses of the companies were favorable to potential cybersecurity legislation (with some important caveats).
Based on the Staff Memorandum, there appears to be general support from the responding companies for a voluntary cybersecurity compliance program. The companies’ main objections appear to be concern about the negative effects of a mandatory cybersecurity program (especially a rigid program that does not allow for the vast differences in size, industry, resources and other critical items that exist among American companies), the loss of flexibility in designing cybersecurity programs if the government mandates compliance requirements and duplication of the companies’ existing efforts.
Perhaps encouraged by this positive sentiment from our largest companies, Senator Rockefeller introduced the Cybersecurity and American Cyber Competitiveness Act of 2013 (Senate Bill 21) in the Senate. This was a brief bill that summarized the components of more comprehensive cybersecurity legislation, and it appears to have been filed to keep this issue in front of the Senate and to determine the mood of the Senate on cybersecurity issues. It is clear that Senator Rockefeller will file more comprehensive cybersecurity legislation in the Senate later this year.
Despite the positive reaction to Senator Rockefeller’s letter from many of the responding companies, the feasibility of passing any comprehensive cybersecurity legislation during 2013 is unclear. Some observers expect President Obama to issue an Executive Order on cybersecurity matters due to the failure of the legislature to enact meaningful legislation. Senator Rockefeller has supported such an Executive Order in the past, and in fact he referred to it in his September 19, 2012 letter. This Executive Order will become a much more realistic possibility if cybersecurity legislation is substantially delayed in the Senate this year. You can get an idea of what this Executive Order may contain by reading the most current draft of the Executive Order dated November 21, 2012.
Dave Lynn published a nice summary of these cybersecurity matters on TheCorporateCounsel.net. For a good analysis of the factors that favor a strong national cybersecurity policy, read Alan Shimel’s blog post on networkworld.com.
What does this mean for public companies or for private companies which anticipate doing a securities offering? Cybersecurity issues will continue to be a focus for legislative activity. This will eventually translate into scrutiny by securities and other regulatory agencies and mandated compliance requirements. Forward thinking companies should try to get out ahead of this scrutiny and these compliance requirements to avoid being pushed into them at an unreasonable pace later. Strong business and economic incentives also exist here, as enaction of cybersecurity measures can help to mitigate or minimize the costs and severity of subsequent compliance requirements and litigation. Currently the SEC’s guidance on cybersecurity topics continues to be the October 13, 2011 CF Disclosure Guidance: Topic No. 2 – Cybersecurity (discussed in my prior blog post). It is possible to use this Disclosure Guidance and knowledge about the current status of cybersecurity issues to develop a good idea of where cybersecurity disclosure is going in the near future. Cybersecurity is here to stay – but you can take some steps now to minimize its effects and costs.