The Hill discusses how US lawmakers want the SEC to force detailed cyber disclosures industry would rather remain secret because they fear discussing their less-than-stellar cyber security would open them up to shareholder liability issues:
Langevin and Rep. Jim Himes (D-Conn.) made their case in a letter sent Thursday to SEC Chairwoman Mary Jo White. The move comes in the wake of a massive cyberattack on the government that has exposed up to 14 million people’s data and raised awareness about the pervasiveness of hackers.
The SEC is working on an update to its cyber disclosure rules, which could require companies to reveal more information about what data security measures they have in place, whether they have been hacked and, if so, how the cyberattackers got in.
The new guidelines could go into effect this year, after the commission spent 2014 studying the issue and investigating the cyber defenses of 100 top financial firms.
Private firms have pushed back against the heightened disclosures, arguing such a public airing of their defense mechanisms and flaws could open them up to shareholder lawsuits and give hackers a roadmap.
Rather than being coy about their cyber security incidents, companies should use this as an opportunity to demonstrate how effective they are at preventing cyber attacks. Use this to show their peers that with funding the right tools and hiring the right professionals, many of the average run-of-the-mill cyber operations can be thwarted without impacting their core business.