Senator Rockefeller to Fortune 500 CEOs: What’s In Your Cybersecurity Plan?

“Companies should be proactive and implement cybersecurity safeguards and policies now so that these protections are already in place by the time any regulatory action is taken.” (Mintz Levin)

Earlier this month, Senator John D. (Jay) Rockefeller IV took his fight for greater cybersecurity preparedness directly to Corporate America.

Senator Rockefeller is Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation and one of the sponsors of the failed Cybersecurity Act of 2012. He’s also the author of a recent letter urging President Obama to issue an executive order on cybersecurity.

In an unusual move, the Senator sent a letter on September 19 to CEOs at every Fortune 500 company, seeking input on both their cybersecurity plans and their views on federal legislation aimed at protecting the country from cyberattacks.

The letter had two objectives: increase support for federal cybersecurity measures, and at the same time gain the upper hand on business lobbying groups who opposed the legislation. Law firm Morrison & Foerster:

“In sending the letter to the CEOs, Senator Rockefeller is essentially performing an end run around the Chamber of Commerce. He states that he would be ‘surprised to learn’ that American companies, realizing that what’s good for national security is good for their bottom line, would be as ‘intransigently opposed’ to cybersecurity legislation as the Chamber of Commerce.”

The Senator may also be preparing for a more formal review of corporate cybersecurity practices. From law firm King & Spalding:

“It is also possible—consistent with Committee action in other investigations and inquiries—that the Committee is gathering information that may eventually surface at a Committee hearing, in a Committee or staff report, or during Senate debate.”

So what’s in the letter? Mintz Levin’s Cynthia Larose and Adam Veness:

“… Senator Rockefeller asks the companies to provide the Senate Commerce Committee with answers to eight questions about their cybersecurity needs, as well as their views on the Cybersecurity Act of 2012:

  1. Has your company adopted a set of best practices to address its own cybersecurity needs?
  2. If so, how were these cybersecurity practices developed?
  3. Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them.
  4. When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?
  5. Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?
  6. What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?
  7. What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?
  8. What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?”

Senator Rockefeller asked CEOs to respond by Friday, October 19. Of note: a reply is requested, not required. Again, King & Spalding:

“Chairman Rockefeller’s request for information does not legally compel companies to respond, but a Committee spokesman has stated that the Committee expects to hear from each company.”

Wondering what Senator Rockefeller said to the White House in his call for an executive order on cybersecurity? Barbara Murphy Melby and Timothy Lynch of Morgan Lewis:

“In the opinion of Senator Rockefeller, the executive order should do the following:

  • Begin with a comprehensive and collaborative government-private sector risk assessment to inventory the threats and vulnerabilities that pose particular risks to particular categories of critical infrastructure.
  • Draw on government and private sector expertise to develop dynamic and adaptable cybersecurity practices that are best suited for each critical infrastructure sector.
  • Implement these practices through private sector collaboration with, and assistance from, an interagency effort that includes the Departments of Defense, Commerce, and Justice, as well as other sector-specific agencies and regulators, and is led by the Department of Homeland Security.

Senator Rockefeller’s call for an executive order does not mean he has given up on legislation, however. On the contrary, write Stuart Levi and Ivan Schlager of Skadden Arps:

“… Rockefeller asserted that while an executive order would be a ‘step in the right direction,’ it would at best still only accomplish a part of what was intended by the Cybersecurity Act of 2012 and that legislation is still needed. He noted calls from top military officials, including the chairman of the Joint Chiefs of Staff and the head of the National Security Agency, for the Senate to pass cybersecurity legislation.”

Read the updates:

Find related law news on JD Supra>>