U.S. Securities and Exchange Commission Chairman Mary Jo White has asked her staff to review whether publicly traded companies should be prodded to disclose more information about cyberattacks on their computer networks.
White has asked her staff to give her “a briefing of the current disclosure practices and overall compliance” with SEC guidance on cybersecurity and “any recommendations they have regarding further action in this area,” she said in a letter to Senate Commerce Committee Chairman Jay Rockefeller.
In the letter, dated May 1 and released by Rockefeller’s office today, White said SEC staff-level guidance to companies on cybersecurity “has had a positive impact” on better informing the public in company filings.
The guidance advises public companies to disclose to investors the threat and potential impact of cyber attacks that pose a “specific and material” risk.
The commission’s staff has issued comments related to cybersecurity disclosures to about 50 publicly traded companies, White said, offering for the first time a number of how many companies have been contacted by the agency regarding their filings.
“Staff is using the information gathered through these efforts to evaluate the efficacy of the guidance,” White wrote.
The 27 largest U.S. companies disclosing cyber attacks to the SEC this year all said they sustained no major financial losses, according to a Bloomberg review of company filings. The reports contrasted with statements from U.S. government officials who say billions of dollars in corporate secrets are being stolen.
Rockefeller, a West Virginia Democrat, convinced the SEC to issue the guidance in October 2011. Rockefeller sent White a letter April 9 calling on the SEC to elevate the guidance and issue it at the commission level.
“While the staff guidance has had a positive impact on the information available to investors on these matters, the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies’ cybersecurity practices,” Rockefeller wrote. In her response to Rockefeller, White didn’t say whether the agency will toughen the guidance.
Rockefeller has pushed legislation to make the SEC issue stronger guidelines for disclosing risks of cyber attacks, urging that it be included in cybersecurity legislation in 2012. That measure died in the Senate.
White’s response “makes it clear the SEC will continue to prioritize increased disclosure of cybersecurity practices and to monitor the steps companies are taking to manage cybersecurity risks,” Rockefeller said in an e-mailed statement today.
“It’s important for investors to understand whether companies are effectively addressing all forms of risk, from financial and operational to cyber, and this information is a key element in the legislation that the Senate is working on to strengthen our nation’s cybersecurity,” he said.