SEC Urged to Give Stronger Guidance on Cyber DisclosureElizabeth Wasserman
A U.S. Senate leader asked the new Securities and Exchange Commission chairman to give more authoritative guidance to companies on disclosing cyber attacks, saying reporting so far is “insufficient.”
“While the staff guidance has had a positive impact on the information available to investors on these matters, the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies’ cybersecurity practices,” Senate Commerce Committee Chairman Jay Rockefeller said in a letter today to agency Chairman Mary Jo White.
“The SEC should elevate this guidance and issue it at the Commission level as well,” Rockefeller wrote to White, who was confirmed April 8. Rockefeller, a West Virginia Democrat, convinced the SEC to issue staff-level guidance to companies on cybersecurity in October 2011.
The SEC declined to comment before White responds to Rockefeller, John Nester, an agency spokesman, said in an e-mail.
The 27 largest U.S. companies disclosing cyber attacks to the SEC this year all said they sustained no major financial losses, according to a Bloomberg review of company filings. The reports contrasted with statements from U.S. government officials who say billions of dollars in corporate secrets are being stolen.
“Investors deserve to know whether companies are effectively addressing their cybersecurity risks -- just as investors should know whether companies are managing their financial and operational risks,” Rockefeller said in the letter to White. “Formal guidance from the SEC on this issue will be a strong signal to the market that companies need to take their cybersecurity efforts seriously.”
Rockefeller in May 2011 wrote to then-SEC Chairman Mary Schapiro pointing out the growing risk posed to U.S. companies by “malicious actors” who “attack and disrupt computer networks to steal valuable trade secrets, intellectual property, and financial and confidential information.”
He asked the SEC to develop and publish guidance to clarify disclosure requirements pertaining to “information security risk, including material information security breaches involving intellectual property or trade secrets.”
The SEC then advised publicly traded companies to disclose to investors the threat and potential impact of cyber attacks that pose a “specific and material” risk.
Rockefeller has since pushed legislation to make the SEC issue stronger guidelines for disclosing risks of cyber attacks, urging that it be included in cybersecurity legislation in 2012. That measure died in the Senate.
In 2012 annual reports filed with the SEC, companies including MetLife Inc., Coca-Cola Co., and Honeywell International Inc. were among the 100 largest U.S. companies by revenue to disclose online attacks. Citigroup Inc. reported “limited losses” while the others said there was no material impact.
The SEC staff is interested in knowing the origin of cyber attacks, including whether the intruder is a competitor, foreign government or hacker group, Mark Kronforst, the SEC’s associate director for disclosure operations, said at a panel discussion in Washington April 5. The staff also wants to know when an attack isn’t discovered by the company and found by a third party.
The SEC staff hasn’t asked those questions in correspondence with public companies, Lona Nallengara, the SEC’s corporation finance director, said in an interview after the panel discussion.
“If you’re an investor and you want to see the company you are investing in is adequately protected against cyber attack, you’d want to know did their systems detect it?” Nallengara said. “Did they know they got breached? Or did they find out a month later when someone told them that we found records this came from your company?”
Information about the source of an attack could yield insight into whether it’s material to investors, Nallengara said. “Is it a competitor? Someone seeking your proprietary information or your technology. Or on the contrary, is it someone simply out to destroy or simply not motivated by financial gain?”
Disclosure about specific attacks “is still fairly rare at this point,” Kronforst said on the panel discussion.