Value of cyber breach disclosures by U.S. firms gets SEC panel's scrutinyReprints
(Reuters) — Cyber experts urged U.S. securities regulators on Wednesday to tread carefully when requiring companies to disclose security breaches and cyber threats, saying giving too much information may leave them vulnerable to hackers or legal action.
“I don't think the commission should be going overboard,” said Roberta Karmel, a professor at Brooklyn Law School, during a U.S. Securities and Exchange Commission cyber security panel discussion.
“I am not sure the SEC is the agency that really should be pushing companies to do more by requiring more disclosure of breaches and other kinds of information that aren't material.”
The SEC convened the cyber security event after a recent series of high-profile data breaches at companies like Target Corp. and Neiman Marcus Group.
Those incidences sparked major public policy debates, including on how customers should be alerted, who should bear the cost of breaches, and how such information should be disclosed both to government and the public.
The SEC has also come under considerable political pressure to take additional steps to require public companies to disclose more information about cyber threats to investors.
It issued informal staff-level guidance in 2011 to help public companies decide when and how cyber events should be disclosed. Since then, it has written to more than 50 companies seeking clarification on cyber-related disclosures.
Some panelists said they worry going beyond the current cyber security disclosures could adversely impact companies, and it may not be possible to strike the right balance.
Companies that over share information, for instance, could become targets of shareholder suits and regulatory probes, experts said.
In some cases, federal law enforcement agencies like the FBI also tell companies they cannot reveal information about cyber attacks, putting public companies in a difficult position.
“There are circumstances where federal government agencies will show up and say ... it is classified so you can't talk about it,” said Leslie Thornton, vice president and general counsel for WGL Holdings, Inc. and Washington Gas Light Company.
U.S. lawmakers have been contemplating legislation to provide clarity about how notifications should be made, but so far Congress has not been able to pass any cyber security bills.
Some experts say the SEC needs to do more, whether to issue more formal commission-level guidance or take steps to ensure companies are disclosing more material incidents to investors.
Jonas Kron, a senior vice president and director of shareholder advocacy at Trillium Asset Management L.L.C., told the SEC on Wednesday he felt the cyber threat disclosures he has seen since the 2011 guidance were still inadequate.
“Unfortunately, I think we are seeing a lot of boilerplate” disclosures, Kron said. “That is the honest truth of what we are seeing, and that is really unfortunate.”
SEC commissioners did not offer any views on what, if anything, the SEC should do regarding cyber threat disclosures.
However, one SEC commissioner, Democrat Luis Aguilar, called for it to consider forming an interagency cyber security task force to help inform the SEC's thinking.
“The increased pervasiveness and seriousness of the cyber security threat raises questions about whether more should be done to ensure the proper functioning of the capital markets and the protection of investors,” he said.