Chairman John D. (Jay) Rockefeller IV called on the U.S. Securities and Exchange Commission (SEC) to issue Commission-level guidance on disclosure obligations for companies on cybersecurity risks, including cyber incidents they experience, and the steps they are taking to manage those risks. Rockefeller believes that investors and the American public should know what publicly-traded companies are doing to address cybersecurity risks, just as companies' readiness to manage financial and operational risks is significant information for investors.
Rockefeller, in a letter to newly-confirmed SEC Chairman Mary Jo White, said "I believe investors deserve to know whether companies are effectively addressing their cybersecurity risks -- just as investors should know whether companies are managing their financial and operational risks. This information is indispensable to efficient markets, and as a country, we need the private sector to make significant investments in cybersecurity. Formal guidance from the SEC on this issue will be a strong signal to the market that companies need to take their cybersecurity efforts seriously."
In response to Chairman Rockefeller's letter to former SEC Chairman Mary Schapiro in May 2011 calling on the Commission to clarify corporate disclosure requirements for cybersecurity risks and cyber incidents, the SEC issued staff-level guidance that was an important step in the right direction. However, given the growing significance of cybersecurity on investors' and stockholders' decisions, formal guidance from the Commission would signal to companies that cybersecurity efforts need to be taken seriously.
Federal securities law already requires publicly traded companies to disclose "material" risks and events, including cyber risks and network breaches. The SEC has longstanding authority to publish "interpretive guidance" to clarify corporate responsibilities, protect investors, and promote fair and efficient markets.