Rockefeller to SEC: Elevate Cybersecurity Guidance
Getting More Companies to Include Cyber-Incidents in SEC Filings
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric ApproachSen. Jay Rockefeller wants the Securities and Exchange Commission to elevate its guidance that businesses report significant cybersecurity incidents in their SEC filings.
In October 2011, after receiving a request from Rockefeller and four other senators [see Senators Ask SEC to Issue IT Security Guidance], the SEC issued staff guidance on disclosure obligations regarding cybersecurity risks and incidents [see SEC Issues Cyber-Incident Guidance]. Now, the chairman of the Senate Commerce, Science and Transportation Committee wants the SEC commissioner to provide the guidance.
"Given the growing significance of cybersecurity on investors and stockholders' decisions, the SEC should elevate this guidance and issue it at the commission level as well," Rockefeller wrote the SEC's new chairman, Mary Jo White, in a letter dated April 9. "While the staff guidance has had a positive impact on the information available to investors on these matters, the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies' cybersecurity practices."
An SEC spokesman said White was likely to reply to Rockefeller and it was up to the senator to decide whether to release her response. Rockefeller has yet to receive a response, a spokesman said on April 11. SEC does not track how many companies report cybersecurity risks and incidents in their commission filings.
Elevating the guidance to the commission level would be more symbolic than legalistic because the commissioners' words should have more sway than those from the staff.
"In terms of Rockefeller's desire for official guidance, as opposed to a staff report, I think such a step could raise the visibility of cybersecurity issues," said David Navetta, a founding partner of the Information Law Group who specializes in IT security.
But, Navetta questioned whether corporate SEC filings about cyber-risk and incidents provide sufficient details to allow investors to make meaningful decisions about a company. "Unfortunately the information you would need to make a determination of success is either not available or not quantifiable," Navetta said.
SEC filings, though, do provide a window into cyber-attacks that many businesses won't acknowledge when they occur. In their annual 10-K earnings reports, filed with the SEC, seven of the nation's top 10 financial services institutions provided new details about the distributed-denial-of-service attacks they suffered in 2012 [see Top Banks Offer New DDoS Details].