Cornell University Library
Cornell University Library

New York Surrogate Gideon Tucker (1826-1899) is credited with originating the maxim that “no man’s life, liberty or property are safe while the legislature is in session.”  Were Surrogate Tucker around today, he might have added boards of directors to those who should be wary of legislative action.

There are numerous weird bills rumbling around the hallowed halls of Washington these days, but one of the bills that is making me unhappy is the Cybersecurity Disclosure Act of 2017.  The good news is that the bill is very short.

The bad news is threefold.

  • The bill would require the SEC to adopt rules requiring public companies to disclose whether any member of the board (or other governing body) has “expertise or experience in cybersecurity”; if so, the company must “fully describe the nature of the expertise or experience.”
  • If no one on the board has the requisite experience or expertise, the bill would require the company “to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.”
  • The bill has bipartisan support in the persons of Democrats Mark Warner (VA) and Jack Reed (RI) and Republican Susan Collins (ME).

Of course, we want our public companies’ boards to have the requisite skills to deal with all sorts of issues.  However, specifying the types of skills that a company’s board must have strikes me as the ultimate one-size-fits-all approach and has no logical limits.  Should every public company have an expert on revenue recognition?  Related-party transactions?  Has anyone thought through the consequences of having a board comprised of one-issue experts who may not have any other applicable skill sets? And would a cyber-expert want to be on a board, given that he or she would likely be blamed (and possibly sued) if the company had a breach or other cyber problem?

BTW – I realize that the bill doesn’t require a board to have a cyber-expert.  Just like the SEC rules don’t require audit committees to have an “audit committee financial expert”.  But I’m not aware of any public company that doesn’t have one.  At a minimum, this bill would add some more unhelpful disclosure to our already bloated proxy statements.

So life, liberty and property aren’t the only things at risk when the legislature is in session.  IMHO,

sanity can join the list as well.