The U.S. Securities and Exchange Commission would consider stronger guidelines for company disclosures about the risks of computer attacks, under a cybersecurity bill being debated in the Senate.
The U.S. Chamber of Commerce, the nation’s largest business lobby, criticized the provision in a letter to senators yesterday, saying it’s designed to force companies to tell the public about breaches of their computer networks.
The bill “aims to ‘name-and-shame’ companies and could compromise their security,” R. Bruce Josten, the Washington-based Chamber’s executive vice president of government affairs, said in the letter. “The Chamber strongly rejects mandating businesses to publicly disclose sensitive security information.”
Senator Jay Rockefeller, a West Virginia Democrat who leads the Senate Commerce Committee, pushed to include the provision in a revised bill aimed at boosting the nation’s computer defenses.
“The SEC provision protects investors, the public and the companies themselves,” Vincent Morris, a spokesman for Rockefeller, said in an e-mail. “So it’s our feeling that the Chamber should not try and undermine that piece.”
Under guidance issued last October, the staff of the SEC’s division of corporation finance recommended that financial statements address the threat posed by hackers if a network breach is “reasonably likely” to have a material effect on a company, including the theft of intellectual property or increased security costs.
The cybersecurity bill would require the SEC to review that guidance and decide whether it should be updated or issued as a formal commission guideline. The bill would also require the SEC to submit annual reports to Congress on cyber risks disclosed in the previous year.
John Nester, an SEC spokesman, declined to comment.
“A good board thinks about protecting the company from cyber risk anyway,” Charles Elson, director of the John L. Weinberg Center for Corporate Governance at the University of Delaware, said in an interview. “Mandating disclosure will create a bureaucratic response rather than a thoughtful review.”
Rockefeller is among a group of senators led by Joe Lieberman, a Connecticut independent, and Susan Collins, a Maine Republican, pushing for the Senate to pass cybersecurity legislation before its summer recess that starts Aug. 6.
The senators revised their cyber-defense bill last week in an effort to pick up Republican votes, outlining a system of voluntary security standards for critical infrastructure such as power grids and chemical plants, rather than mandatory government rules contained in a previous bill.
The Senate voted today to proceed to a vote on the bill.
The Chamber of Commerce opposes the bill’s approach, saying the voluntary standards could be used to impose new obligations on participating companies.
The Lieberman bill is S. 3414.