The U.S. Senate recently proposed a cybersecurity disclosure bill that would require public companies to describe what cybersecurity expertise their boards have, or, if they don't have any, what steps the companies are taking to get some expertise onto their boards.
"It seems like a pretty simple and straightforward bill," said Chris Wysopal, CTO and CISO at Veracode. "It doesn't have anything onerous except some disclosures about the board. To me, it has a chance of passing."
The bill fits neatly into some research that Veracode conducted with the New York Stock Exchange, in which a surprising 90 percent of corporate board members said that regulators should hold businesses liable for breaches if they were negligent with customer data or failed to have reasonable security in place.
"But there's no clear guidance from the SEC or the FTC about what is reasonable security practices," he said. "Boards want to see more clarity there."
Companies already have many reporting and compliance requirements that impact spending on cybersecurity. In fact, according to a survey released just this week by the Ponemon Institute, the need to comply with privacy or data security regulations was the single biggest driver of the use of encryption technology.
There are already numerous federal laws and individual state disclosure requirements, but as the breaches keep coming, security experts expect that the amount of oversight will only continue to increase.
Take the Securities and Exchange Commission, which has recently been stepping up its cybersecurity-related activity.
In 2011, the SEC issued guidance requiring publicly traded companies to report cybersecurity risks alongside other kinds of material risks.
In the end, this is all a push to raise the bar on cybersecurity across all institutions.
Vikram Bhat, leader of the strategy and governance practice for Deloitte Cyberrisk Services
"For listed companies, the guidance that was provided in 2011 is still the main focus that most are still using as a baseline," said Peter Dugas, managing director of government affairs at FIS’ Center of Regulatory Intelligence at FIS Global
For example, companies need to report if there are aspects of their business or outsourced functions that create cybersecurity risks, if they've had security incidents that have had impact on the company, and even the potential risks of long-term undetected attacks.
But the guidance leaves a lot open to interpretation.
There is a lack of clarity, said Sara Romine, attorney at Carrington, Coleman, Sloman & Blumenthal, L.L.P.
"We know that you don't have to disclose vulnerabilities so that you would be providing hackers information on where the company is vulnerable," she said. "But you know that you have to disclose enough that investors appreciate the nature of the risks facing the company. So where do you draw the line? How much do you have to disclose?"
Sign up for CIO Asia eNewsletters.