Cybersecurity

Lawmakers want SEC to force detailed cyber disclosures

Two lawmakers on Thursday pressed the Security and Exchange Commission (SEC) to beef up the requirements on companies to disclose more information about their cybersecurity practices.

“Companies often fail to disclose the cybersecurity strategy they use to evaluate these threats,” said Rep. Jim Langevin (D-R.I.), co-chairman the Congressional Cybersecurity Caucus. “Investors deserve to know what preventative measures are being taken against cyber risks, and consumers deserve to know how their private information is being protected.

{mosads}Langevin and Rep. Jim Himes (D-Conn.) made their case in a letter sent Thursday to SEC Chairwoman Mary Jo White. The move comes in the wake of a massive cyberattack on the government that has exposed up to 14 million people’s data and raised awareness about the pervasiveness of hackers.

The SEC is working on an update to its cyber disclosure rules, which could require companies to reveal more information about what data security measures they have in place, whether they have been hacked and, if so, how the cyberattackers got in.

The new guidelines could go into effect this year, after the commission spent 2014 studying the issue and investigating the cyber defenses of 100 top financial firms.

Private firms have pushed back against the heightened disclosures, arguing such a public airing of their defense mechanisms and flaws could open them up to shareholder lawsuits and give hackers a roadmap.  

But consumer advocates argue that the boilerplate cyber language that firms use each year in SEC filings helps no one and lets companies off the data security hook.

Langevin and Himes are also part of a growing chorus of lawmakers making the same case.

“These cyber threats can have a chilling effect on investors and consumers unless they know that the proper efforts are being taken to secure private information properly,” Himes said. “We look to the SEC to lead in this situation and set industry-wide standards for all listed companies.”

Specifically, Langevin and Himes are pushing for regular disclosures from firms outlining their cyber practices, as well as a more consistent standard around when companies should file disclosure forms following a successful cyberattack.