Cybersecurity Systems and Risks Reporting Act
This bill amends the Sarbanes-Oxley Act of 2002 to apply to cybersecurity systems and cybersecurity systems officers the same requirements regarding corporate responsibility for financial reports and managements assessments of internal control structures and procedures for financial reporting as apply to public companies subject to oversight by the Securities and Exchange Commission (SEC).
The SEC shall issue rules to define cybersecurity expert and require each issuer of securities to disclose whether or not (and if not, the reasons why) the issuer's audit committee has at least one member who is a cybersecurity expert.
The SEC shall review an issuer's information systems and cybersecurity systems statements. In scheduling the such reviews the SEC shall consider, among other things, issuers that have issued cybersecurity risks disclosures.
[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5069 Introduced in House (IH)]
<DOC>
114th CONGRESS
2d Session
H. R. 5069
To amend the Sarbanes-Oxley Act of 2002 to protect investors by
expanding the mandated internal controls reports and disclosures to
include cybersecurity systems and risks of publicly traded companies.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 26, 2016
Mr. McDermott introduced the following bill; which was referred to the
Committee on Financial Services
_______________________________________________________________________
A BILL
To amend the Sarbanes-Oxley Act of 2002 to protect investors by
expanding the mandated internal controls reports and disclosures to
include cybersecurity systems and risks of publicly traded companies.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cybersecurity Systems and Risks
Reporting Act''.
SEC. 2. CYBERSECURITY AND INFORMATION SYSTEM REQUIREMENTS.
(a) Definitions.--Section 2(a) of the Sarbanes-Oxley Act of 2002
(15 U.S.C. 7201(a)) is amended--
(1) in paragraph (2), by inserting after ``financial
statements'' the following: ``and information systems'';
(2) in paragraph (3)(A), by striking ``and financial'' and
inserting ``, financial, and cybersecurity systems'';
(3) in paragraph (10)(B), by inserting after ``quality
control policies and procedures,'' the following:
``cybersecurity systems standards and practices,''; and
(4) by adding at the end the following:
``(18) Information system.--The term `information system'
means a set of activities, involving people, processes, data,
or technology, which enable the issuer to obtain, generate,
use, and communicate transactions and information to maintain
accountability and measure and review the issuer's performance
or progress towards achievement of objectives.
``(19) Cybersecurity system.--The term `cybersecurity
system' means a set of activities or state, involving people,
processes, data or technology, whereby the protection of an
information system of the issuer is secured from, or defended
against, damage, unauthorized use or modification,
misdirection, disruption or exploitation.
``(20) Cybersecurity risk.--The term `cybersecurity risk'
means a significant vulnerability to, or a significant
deficiency in, the security and defense activities of a
cybersecurity system.''.
(b) Corporate Responsibility.--Section 302 of the Sarbanes-Oxley
Act of 2002 (15 U.S.C. 7241) is amended--
(1) in the heading of such section, by inserting after
``reports'' the following: ``and information systems''; and
(2) in subsection (a)--
(A) by striking ``and the principal financial
officer or officers,'' and inserting ``, the principal
financial officer or officers, and the principal
cybersecurity systems officer or officers'';
(B) in paragraph (4), by striking ``internal
controls'' each place such term appears and inserting
``internal controls and cybersecurity systems'';
(C) in paragraph (5)--
(i) in subparagraph (A)--
(I) by inserting after ``operation
of internal controls'' the following:
``and cybersecurity systems''; and
(II) by inserting before the
semicolon the following: ``and any
significant cybersecurity risks in
issuer's information systems''; and
(ii) in subparagraph (B), by inserting
before the semicolon the following: ``,
cybersecurity systems, or information
systems''; and
(D) in paragraph (6)--
(i) by striking ``internal controls'' each
place such term appears and inserting
``internal controls, cybersecurity systems, or
information systems''; and
(ii) by striking ``significant
deficiencies'' and inserting ``cybersecurity
risks, significant deficiencies,''.
(c) Management Assessment.--Section 404 of the Sarbanes-Oxley Act
of 2002 (15 U.S.C. 7262) is amended--
(1) in the heading of such section, by inserting after
``controls'' the following: ``and information systems'';
(2) in subsection (a)--
(A) by inserting after ``contain an internal
control'' the following: ``and information systems'';
(B) in paragraph (1), by striking ``an adequate
internal control structure and procedures for financial
reporting'' and inserting ``adequate internal control
and cybersecurity systems structures and procedures for
financial and information systems reporting''; and
(C) by amending paragraph (2) to read as follows:
``(2) contain assessments, as of the end of the most recent
fiscal year of the issuer, of the effectiveness of--
``(A) the internal control structure and procedures
of the issuer for financial reporting; and
``(B) the cybersecurity systems structure of the
issuer.''; and
(3) in subsection (b)--
(A) in the heading of such subsection, by inserting
after ``Internal Control'' the following; ``and
Cybersecurity Systems''; and
(B) by striking ``internal control assessment'' and
inserting ``internal control and cybersecurity system
structure assessments''.
(d) Disclosure of Expert.--Section 407 of the Sarbanes-Oxley Act of
2002 (15 U.S.C. 7265) is amended--
(1) in the heading of such section, by striking ``expert''
and inserting ``and cybersecurity systems experts'';
(2) in subsection (a)--
(A) in the heading of such subsection, by striking
``Expert'' and inserting ``and Cybersecurity Experts'';
and
(B) by striking ``, as such term is defined by the
Commission'' and inserting ``and at least 1 member who
is a cybersecurity systems expert, as such terms are
defined by the Commission in consultation with the
Secretary of Homeland Security and the Secretary of
Commerce''; and
(3) by striking subsection (c) and inserting the following:
``(c) Considerations With Respect to Cybersecurity Experts.--In
defining the term `cybersecurity expert' for purposes of subsection
(a), the Commission shall, in consultation with the Secretary of
Homeland Security and the Secretary of Commerce, consider whether a
person has, through education or experience as an information
technology officer or information systems security officer, or from a
position involving the performance of similar functions--
``(1) an understanding of generally accepted principles,
practices, and law relating to computer security, computer
network security, and data security and privacy;
``(2) experience in--
``(A) the preparation of information systems audits
for cybersecurity risk discovery; and
``(B) the maintenance, implementation, and
monitoring of information systems and their
cybersecurity systems;
``(3) experience with information systems aspects of
internal accounting controls; and
``(4) an understanding of audit committee functions.''.
(e) Enhanced Review.--Section 408 of the Sarbanes-Oxley Act of 2002
(15 U.S.C. 7265) is amended--
(1) in subsection (a), by striking ``financial statement''
and inserting ``financial, information systems, and
cybersecurity systems statements''; and
(2) in subsection (b)--
(A) in paragraph (5), by striking ``and'' at the
end;
(B) by redesignating paragraph (6) as paragraph
(7); and
(C) by inserting after paragraph (5) the following:
``(6) issuers that have issued cybersecurity risks
disclosures; and''.
(f) Clerical Amendment.--The table of contents in section 1(b) of
the Sarbanes-Oxley Act of 2002 is amended--
(1) in the item relating to section 302, by inserting after
``REPORTS'' the following: ``AND INFORMATION SYSTEMS'';
(2) in the item relating to section 404, by inserting after
``CONTROLS'' the following: ``AND INFORMATION SYSTEMS''; and
(3) in the item relating to section 407, by striking
``EXPERT'' and inserting ``AND CYBERSECURITY SYSTEMS EXPERTS''.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Financial Services.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line