Senate Commerce Committee Chairman Jay Rockefeller has come up with a new tactic to push companies like Sony to disclose hack attacks and data security breaches more promptly: He’s asked the Securities and Exchange Commission to require companies to treat attacks as time-sensitive information that must be provided to investors.
In a letter to SEC Chair Mary Schapiro, Rockefeller and three other senators said: “Securing cyberspace is one of the most important and urgent challenges of our time. In light of the growing threat… it is essential that corporate leaders know their responsibility for managing and disclosing security risk.”
In a press release, Rockefeller added:
Cyber risk management is a critical corporate responsibility. Federal securities law requires publicly traded companies to disclose “material” risks and events, including cyber risks and network breaches. A review of past disclosures suggests that a significant number of companies are failing to meet these requirements. The SEC has longstanding authority to publish “interpretive guidance” to clarify corporate responsibilities, protect investors, and promote fair and efficient markets.
If the SEC acts, it could make it harder for publicly traded companies to sit on information about security breaches. However, the agency would not be able to require privately held companies to follow suit, so consumers may still be left in the dark about future leaks at companies like Lookout Services, which recently settled with the Federal Trade Commission for failing to protect customer information including Social Security numbers.
Rockefeller Calls on SEC to Make Corporate Cyber Attacks Public [Press Release]