From: The Honorable Jim McDermott
Sent By:

Bill: H.R. 5069
Date: 7/1/2016

Dear Colleagues,


Cyber attacks are increasingly common and affect all sectors of the economy.  Thus, I have introduced legislation,  H.R. 5069-The Cybersecurity and Risks Reporting Act,  that amends the Sarbanes-Oxley Act of 2002 (SOX) to protect investors by expanding the mandated internal controls reports and disclosures of SOX to include cybersecurity systems and risks of public companies.


For an overview of corporate cyber disclosures, please see Bloomberg News that cites the bill: “Making Cyber Assurance Programs a Corporate Imperative”


The Cybersecurity Systems and Risks Reporting Act includes:

  • an expansion of the scope of SOX mandated audits to include the information systems of issuers
  • requirements for  issuers to report on the  effectiveness of their cybersecurity systems
  • requirements for  issuers to disclose significant deficiencies in their cybersecurity systems
  • the empowerment of the SEC, in consultation with Department of Homeland Security and Commerce, to make rules defining cybersecurity experts
  • requirements for issuers to disclose whether or not its SOX audit committee has a cybersecurity expert as a member


By mandating expert cybersecurity audits and reports, The Cybersecurity Systems and Risks Reporting Act empowers the SEC to hold public companies accountable for the security
of their information systems and requires them to be more forthcoming in public disclosures about their cybersecurity systems and risks.


In formulating the original SOX legislation, Congress relied on voluntary financial audit and internal control “best practices” developed years earlier by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO), a joint initiative of the five private sector audit organizations.  These “best practices” had many early and highly reputable adopters (e.g., Boeing) and were implemented with improved business performance.


Today, government agencies and business professionals recognize that cyber attacks pose risks to public companies and their investors. It is recommend that these companies
broaden their SOX monitoring and reporting to include cybersecurity. For example:


  • COSO has recently developed cybersecurity “best practices” for businesses in a “cyber-driven” world.
  • The SEC’s Division of Corporation Finance has issued cybersecurity risk disclosure guidance.
  • Professional audit organizations have embraced the new National Institute of Standards and Technology (NIST) cybersecurity framework.
  • The Federal Trade Commission (FTC) has taken legal actions against organizations that have had cybersecurity breaches.
  • President’s Council of Advisors on Science and Technology (PCAST) has recommended SEC-mandated cybersecurity system disclosures by public companies.


The goal of The Cybersecurity Systems and Risks Reporting Act is to modernize SOX so that the SEC, in cooperation with other government agencies and private professional organizations,
can incorporate cybersecurity frameworks into law. It will further empower the SEC to hold publicly companies accountable for maintaining cybersecurity and internal controls that will better protect their investors from financial risks in the cyber age.





Jim McDermott

Member of Congress