Senators Ask SEC to Issue IT Security Guidance

Many Companies Don't Report IT Security Risk to Investors
Senators Ask SEC  to Issue IT Security Guidance
Five Democratic senators have asked the Securities and Exchange Commission to issue guidance regarding the disclosure of information security risks, including material network breaches, because of inconsistencies in reporting, investor confusion and the national importance of addressing cybersecurity.

The letter comes weeks after a rash of security breaches at storage vendor EMC's RSA security division, Alliance Data's Epsilon e-marketing unit and Sony's PlayStation service.

In a letter to SEC Chairwoman Mary Schapiro, the senators said a substantial number of companies do not report their information security risk to investors, citing a 2009 survey that found that 38 percent of Fortune 500 companies made a "significant oversight" by not mentioning privacy and data security exposures in their public filings.

The senators - Jay Rockefeller of West Virginia, Robert Menendez of New Jersey, Sheldon Whitehouse of Rhode Island, Mark Warner of Virginia and Richard Blumenthal of Connecticut - said they reviewed recent corporate disclosures of exposures to IT security risks, but many companies failed to address adequately and mitigate the risks. "We found statements ranging from boilerplate descriptions of risk to details of specific attacks," the senators wrote. "We did not, however, find information on steps taken by the corporations to reduce risk exposure."

They said they believe many leaders of publicly traded companies might not fully understand their obligation to disclose information on potentially compromised intellectual property and trade secrets. "Material breach reporting, like information risk, is inconsistent and unreliable," the letter said. "We are concerned that the lack of quality, public information in these matters enables an inefficient marketplace that devalues security and impairs investor decision-making."

Specifically, the senators call on the SEC to develop and publish interpretive guidance clarifying existing disclosure requirements concerning IT security risk and breaches involving intellectual property and trade secrets. They also asked the SEC to examine the importance of credit agencies and security analysts incorporating evidence of IT security risk in their assessments of companies and investment products. "This guidance, undertaken using longstanding commission legal authority, will enhance investor and corporate awareness of information security risk," the senators wrote, "thus improving the national and economic security of our nation."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.