Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 114th Congress · H.R. 5069 (Introduced in House) — To amend the Sarbanes-Oxley Act of 2002 to protect investors by expanding the mandated internal controls reports and... · Sec. 2

Sec. 2. Cybersecurity and information system requirements

879 words·~4 min read·/bill/114/hr/5069/ih/section-2

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Section 2(a) of the Sarbanes-Oxley Act of 2002 ( 15 U.S.C. 7201(a) ) is amended— in paragraph (2), by inserting after financial statements the following: and information systems ; in paragraph (3)(A), by striking and financial and inserting , financial, and cybersecurity systems ; in paragraph (10)(B), by inserting after quality control policies and procedures, the following: cybersecurity systems standards and practices, ; and by adding at the end the following: The term information system means a set of activities, involving people, processes, data, or technology, which enable the issuer to obtain, generate, use, and communicate transactions and information to maintain accountability and measure and review the issuer’s performance or progress towards achievement of objectives.
The term cybersecurity system means a set of activities or state, involving people, processes, data or technology, whereby the protection of an information system of the issuer is secured from, or defended against, damage, unauthorized use or modification, misdirection, disruption or exploitation. The term cybersecurity risk means a significant vulnerability to, or a significant deficiency in, the security and defense activities of a cybersecurity system. . Section 302 of the Sarbanes-Oxley Act of 2002 ( 15 U.S.C. 7241 ) is amended— in the heading of such section, by inserting after the following:
REPORTS ; and AND INFORMATION SYSTEMS in subsection (a)— by striking and the principal financial officer or officers, and inserting , the principal financial officer or officers, and the principal cybersecurity systems officer or officers ; in paragraph (4), by striking internal controls each place such term appears and inserting internal controls and cybersecurity systems ; in paragraph (5)— in subparagraph (A)— by inserting after operation of internal controls the following: and cybersecurity systems ; and by inserting before the semicolon the following: and any significant cybersecurity risks in issuer's information systems ; and in subparagraph (B), by inserting before the semicolon the following: , cybersecurity systems, or information systems ; and in paragraph (6)— by striking internal controls each place such term appears and inserting internal controls, cybersecurity systems, or information systems ; and by striking significant deficiencies and inserting cybersecurity risks, significant deficiencies, .
Section 404 of the Sarbanes-Oxley Act of 2002 ( 15 U.S.C. 7262 ) is amended— in the heading of such section, by inserting after the following: CONTROLS ; AND INFORMATION SYSTEMS in subsection (a)— by inserting after contain an internal control the following: and information systems ; in paragraph (1), by striking an adequate internal control structure and procedures for financial reporting and inserting adequate internal control and cybersecurity systems structures and procedures for financial and information systems reporting ; and by amending paragraph
(2)to read as follows: contain assessments, as of the end of the most recent fiscal year of the issuer, of the effectiveness of— the internal control structure and procedures of the issuer for financial reporting; and the cybersecurity systems structure of the issuer. ; and in subsection (b)— in the heading of such subsection, by inserting after the following; Internal Control ; and and Cybersecurity Systems by striking internal control assessment and inserting internal control and cybersecurity system structure assessments . Section 407 of the Sarbanes-Oxley Act of 2002 ( 15 U.S.C. 7265 ) is amended— in the heading of such section, by striking and inserting EXPERT ; AND CYBERSECURITY SYSTEMS EXPERTS in subsection (a)— in the heading of such subsection, by striking and inserting Expert ; and and Cybersecurity Experts by striking , as such term is defined by the Commission and inserting and at least 1 member who is a cybersecurity systems expert, as such terms are defined by the Commission in consultation with the Secretary of Homeland Security and the Secretary of Commerce ; and by striking subsection
(c)and inserting the following: In defining the term cybersecurity expert for purposes of subsection (a), the Commission shall, in consultation with the Secretary of Homeland Security and the Secretary of Commerce, consider whether a person has, through education or experience as an information technology officer or information systems security officer, or from a position involving the performance of similar functions— an understanding of generally accepted principles, practices, and law relating to computer security, computer network security, and data security and privacy; experience in— the preparation of information systems audits for cybersecurity risk discovery; and the maintenance, implementation, and monitoring of information systems and their cybersecurity systems; experience with information systems aspects of internal accounting controls; and an understanding of audit committee functions. . Section 408 of the Sarbanes-Oxley Act of 2002 ( 15 U.S.C. 7265 ) is amended— in subsection (a), by striking financial statement and inserting financial, information systems, and cybersecurity systems statements ; and in subsection (b)— in paragraph (5), by striking and at the end; by redesignating paragraph
(6)as paragraph (7); and by inserting after paragraph
(5)the following: issuers that have issued cybersecurity risks disclosures; and . The table of contents in section 1(b) of the Sarbanes-Oxley Act of 2002 is amended— in the item relating to section 302, by inserting after REPORTS the following: AND INFORMATION SYSTEMS ; in the item relating to section 404, by inserting after CONTROLS the following: AND INFORMATION SYSTEMS ; and in the item relating to section 407, by striking EXPERT and inserting AND CYBERSECURITY SYSTEMS EXPERTS .
Connectionstraces to 4
Citation graph
cites case law
Sec. 2
Cybersecurity and information system requirements
U.S.C.§ 7201
U.S.C.§ 7241
U.S.C.§ 7262
U.S.C.§ 7265
Cites 4Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.