New Cybersecurity Bills Promote CISOs and Privacy

Two bills, currently in the Senate, have the potential to change the U.S. cybersecurity landscape if passed into law. The first is the 'Cybersecurity Disclosure Act of 2019', introduced by Senator Jack Reed (D-RI) on 28 February 2019. The second is the 'Mind Your Own Business Act of 2019', introduced by Senator Ron Wyden (D-OR) last week on 17 October 2019.


The Cybersecurity Disclosure Act of 2019 is a relatively small change of wording to the Cybersecurity Disclosure Act of 2017, but with potentially far-reaching effects. There are three relevant paragraphs in the new act. The first, which is unchanged from the 2017 version, requires the disclosure of whether anybody at board level has cybersecurity expertise, and the nature of that expertise, in the organization's annual report or annual proxy statement to the Securities and Exchange Commission (SEC).


The second paragraph is amended. Wording changes from "what other cybersecurity steps taken by the reporting company were taken into account" to "what other aspects of the reporting company's cybersecurity were taken into account by any person..." There is now more focus on the existing cybersecurity posture and a 'person' to be involved.


The third paragraph in both versions of the act says the FTC should consult with NIST, with reference to the NIST SP 800-181 Cybersecurity Workforce Framework, to "define what constitutes expertise or experience in cybersecurity... using commonly defined roles..."


The NIST document does not define a chief information security officer role or tasks (the title is mentioned just three times). Nevertheless, it is difficult to see how the position of the 'person' as required by the new act, could be fulfilled by any single person other than an organizational < ..

Support the originator by clicking the read the rest link below.