Editor’s Note: The Center for Regulatory Effectiveness has discussed SEC regulation of corporate cybersecurity here, here, here and here. CRE advised the Commission to pursue an internationally coordinated approach to the issue here.
By John Mutch, CEO, BeyondTrust and former CEO of HNC Software and Peregrine Systems
For public company CEOs, the list of items under SEC purview seems to grow overnight. One item that has potential to be added to that list is the reporting on cyber security risk to shareholders. Activists and public officials are pressing the SEC to elevate its guidance to companies on the disclosure of actual breaches. Having been CEO of a public company and now as CEO of a global enterprise software company which provides cyber security and compliance solutions to many public companies, I can attest to the growing complexities and pressures of supply (threats and risk to operations) and demand (regulatory requirements) that must be managed on a daily basis.
This is going to be an even steeper climb if the SEC requires companies to disclose on their cyber risk. In his April 9 letter to the SEC Chair, Senate Commerce Chairman Jay Rockefeller (D-W.Va.) urged the SEC to step-up the requirements on its guidance (issued in October 2011) for companies to disclose information about their ability to defend against attacks on their networks.
“Investors deserve to know whether companies are effectively addressing their cyber security risks — just as investors should know whether companies are managing their financial and operational risks,” the letter said. “Formal guidance from the SEC on this issue will be a strong signal to the market that companies need to take their cyber security efforts seriously.”
This is a rapid evolution. Public companies have only recently been required to report on successful breaches. Now potentially we’re facing companies having to report on their confidence in their own defenses. What would that SEC filing look like?