A U.S. Senate leader asked the new Securities and Exchange Commission chairman to give more authoritative guidance to companies on disclosing cyber attacks, saying reporting so far is “insufficient.”
“While the staff guidance has had a positive impact on the information available to investors on these matters, the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies’ cybersecurity practices,” Senate Commerce Committee Chairman Jay Rockefeller said in a letter today to agency Chairman Mary Jo White.
“The SEC should elevate this guidance and issue it at the Commission level as well,” Rockefeller wrote to White, who was confirmed April 8. Rockefeller, a West Virginia Democrat, convinced the SEC to issue staff-level guidance to companies on cybersecurity in October 2011.
The SEC declined to comment before White responds to Rockefeller, John Nester, an agency spokesman, said in an e-mail.
The 27 largest U.S. companies disclosing cyber attacks to the SEC this year all said they sustained no major financial losses, according to a Bloomberg review of company filings. The reports contrasted with statements from U.S. government officials who say billions of dollars in corporate secrets are being stolen.
“Investors deserve to know whether companies are effectively addressing their cybersecurity risks -- just as investors should know whether companies are managing their financial and operational risks,” Rockefeller said in the letter to White. “Formal guidance from the SEC on this issue will be a strong signal to the market that companies need to take their cybersecurity efforts seriously.”
Rockefeller in May 2011 wrote to then-SEC Chairman Mary Schapiro pointing out the growing risk posed to U.S. companies by “malicious actors” who “attack and disrupt computer networks to steal valuable trade secrets, intellectual property, and financial and confidential information.”
He asked the SEC to develop and publish guidance to clarify disclosure requirements pertaining to “information security risk, including material information security breaches involving intellectual property or trade secrets.”
The SEC then advised publicly traded companies to disclose to investors the threat and potential impact of cyber attacks that pose a “specific and material” risk.
Rockefeller has since pushed legislation to make the SEC issue stronger guidelines for disclosing risks of cyber attacks, urging that it be included in cybersecurity legislation in 2012. That measure died in the Senate.
In 2012 annual reports filed with the SEC, companies including MetLife Inc., Coca-Cola Co., and Honeywell International Inc. were among the 100 largest U.S. companies by revenue to disclose online attacks. Citigroup Inc. reported “limited losses” while the others said there was no material impact.