The Securities and Exchange Commission (SEC) should consider directing publicly traded companies to disclose how they adhere to best practices for securing their data networks and how those practices are determined, two Democratic congressmen wrote to the chair of the commission on Thursday.
Seeking to better understand how the SEC gains its own understanding of cyber security challenges facing public companies, Reps. Jim Himes (Conn.) and Jim Langevin (R.I.) also ask SEC Chair Mary Jo White to update them on “how cybersecurity fits into the SEC’s disclosure review process” and who at the SEC is in charge of determining a company’s “best practices and how they are maintained.”
“Institutional investors, private investors, and public pension funds should be able to compare the robustness of cybersecurity protections and controls between companies in the same sector,” Himes and Langevin tell White. They add that “Every company regulated by the SEC is in some way a digital company, and thus subject to risks that include loss of intellectual property, disclosure of sensitive data, and loss of customer confidence,” any of which can lead to “loss of market share.”
Currently publicly traded companies “often” don’t provide much in the way of cyber information unless they are breached, and afterward they usually don’t update that language, Himes and Langevin wrote.
Himes and Langevin also said that the SEC’s Division of Corporate Finance is currently reviewing the disclosure process required of publicly traded companies “to increase transparency and information,” adding that “Cyber and cybersecurity disclosures are a clear and discrete area where investors need more relevant and timely information.”
As part of publicly traded companies’ annual reporting to the SEC, which is done through 10-K forms, Himes and Langevin also want the SEC to consider having these companies disclose their plans and schedules for achieving “full conformity” with cyber security best practices in their respective market sectors and how these practices are updated to keep pace with “evolving threats.” They also want to know how often a company’s board and senior leaders are briefed on cyber security incidents.
The congressmen said their recommendations are consistent with a two-year old report by the President’s Council of Advisors on Science and Technology and that stronger disclosure requirements around cyber security won’t increase the vulnerabilities of companies nor enable cyber attackers to more easily compromise their networks.