The Securities and Exchange Commission is advancing measures that would require publicly owned companies to disclose more information about their cybersecurity vulnerabilities, including data breaches.
The requirements could put pressure on companies to tighten their own security, because the SEC rules would let the public know how well firms are securing their private information.
{mosads}In 2014, the agency held a public roundtable on the issue, proposed enhanced cybersecurity disclosure requirements and investigated the cyber defenses of 100 top financial firms. In 2015, those proposals could become actual regulations, and the SEC revealed this week it may soon release the results of its investigation.
On Tuesday, the White House launched a new initiative to encourage greater sharing of cyber threat information among government agencies and the private sector following a spate of high profile attacks and data breaches at major companies, including Sony and Home Depot.
“It’s a harbinger of what’s to come, and I think it will change the way companies think about and report on cyber,” said Norma Krayem, a lobbyist with Squire Patton Boggs and co-chairman of the firm’s cybersecurity industry group.
Firms worried the information they are providing to the SEC could be used for shareholder lawsuits are likely to look for ways to tighten their controls.
Experts say that’s why the SEC could play a huge role in strengthening cybersecurity.
“It’s becoming more and more a consumers’ market, which is good for the country.” said Kim Phan, a Ballard Spahr attorney who advises companies on their SEC filings. “But there’s a lot more risk to companies.”
Lawmakers have helped nudge the agency along the past few years.
“It’s kind of a recent trend that Congress seems to think federal security laws should cover absolutely everything that goes on in terms of the conduct at public companies,” said Roberta Karmel, a former SEC commissioner and now a professor at Brooklyn Law School.
Since 2011, former Senate Commerce Committee Chairman Jay Rockefeller (D-W.Va.) — now retired — has been prodding the SEC to require increased disclosure about cybersecurity failures and risks. Rockefeller escalated his call in 2013.
“Disclosures are generally still insufficient for investors to discern the true costs and benefits of companies’ cybersecurity practices,” he said in an April 2013 letter to SEC head Mary Jo White.
But Congress took its biggest step to direct the SEC on cybersecurity in last month’s budget, passed during the lame-duck session. The bill compelled the agency to report back on modernizing cybersecurity disclosures. It was unique, many said, for lawmakers to publicly direct the SEC in this fashion.
“Where does every good legislator go when they can’t get legislation passed?” Phan asked. “They go to an appropriations bill.”
Typically, publicly owned companies are required to file quarterly and annual financial reports to the SEC. Additionally, companies must file a form following any incident that causes “material harm,” meaning it affects their financial condition, Karmel explained.
Fallout costs from data breaches can set companies back tens or hundreds of millions of dollars, yet many argue this is never reflected in SEC disclosures. More broadly, companies’ cybersecurity disclosures have been criticized as generic, uninformative and useless to the public.
“They use boilerplate language every year,” said Jeffrey Carr, CEO of cybersecurity firm Taia Global, who has reviewed the SEC filings of companies that experienced data breaches.
Sony is a great example, he said. Three years before the company’s recent headline-grabbing cyberattack, hackers took down Sony’s online PlayStation Network. Despite a reported cost of $171 million, the company never filed a disclosure form with the SEC about the incident, nor significantly updated its regular SEC cyber risk assessments, Carr said.
The company has also yet to file an SEC form following the recent destructive assault on its movie studio, which exposed the company’s internal documents, destroyed its computer network and caused Sony to almost cancel the release of a multimillion-dollar comedy.
Other companies that experienced major breaches in 2014, like JPMorgan Chase, did file SEC documents following their intrusions, but experts still found the disclosures lacking.
“The SEC needs to sort of step in there and say this is not acceptable,” Carr said.
“I’m sure Universal wants to know what happened at Sony,” Phan added, though she said requiring companies to publicly report to the SEC after cyberattacks is a slippery slope.
“It’s an SEC filing. You don’t want to say, ‘Hey, here are my vulnerabilities,’ ” she said.
Some lawmakers echo Phan’s hesitation. Rep. Dutch Ruppersberger (D-Md.) told The Hill such reporting requirements could expose companies to a plethora of shareholder lawsuits.
“We better start focusing on the issue of liability” before moving too quickly on heightened SEC cyber disclosures, he said. “What a haven for lawsuits for people.”
Ruppersberger on Friday revived legislation that would give legal protections to companies willing to share data breach and general cybersecurity information with the government.
The bill — known as the Cyber Intelligence Sharing and Protection Act (CISPA) — wouldn’t necessarily give the public more insight into data breaches, though. The information would be privately exchanged between the public and private sector.
Lawmakers have long discussed a federal data breach notification law, but no serious proposal made headway in the last Congress.
Absent congressional legislation, Carr thinks 2015 could be “the year [the SEC] starts to move toward regulation in a more severe way.”
“The SEC’s actions should cause [companies] to sit up and pay more attention,” said Krayem of Squire Patton Boggs.