Rockefeller Calls on SEC to Make Corporate Cyber Attacks Public

Too few companies report their information security risks to investors, Senators say

May 12, 2011

Chairman Rockefeller and Ranking Member HutchisonWASHINGTON, D.C.—Chairman John D. (Jay) Rockefeller IV (D-W.Va.) today called on the U.S. Securities and Exchange Commission (SEC) to clarify corporate disclosure requirements for cybersecurity breaches so that the American public can learn more about when hackers make efforts to penetrate companies’ computer systems.

Rockefeller, in a letter to SEC Chairman Mary Schapiro, said “Securing cyberspace is one of the most important and urgent challenges of our time. In light of the growing threat…it is essential that corporate leaders know their responsibility for managing and disclosing security risk.” The letter was signed by four other senators: Sens. Robert Menendez (D-N.J.), Sheldon Whitehouse (D-R.I.), Mark Warner (D-Va.) and Richard Blumenthal (D-Conn). 

Cyber risk management is a critical corporate responsibility. Federal securities law requires publicly traded companies to disclose “material” risks and events, including cyber risks and network breaches. A review of past disclosures suggests that a significant number of companies are failing to meet these requirements. The SEC has longstanding authority to publish “interpretive guidance” to clarify corporate responsibilities, protect investors, and promote fair and efficient markets. 

Chairman Rockefeller is the lead sponsor of comprehensive legislation to address America’s vulnerability to cybercrime and attacks. He is now working with the White House and with Committee chairs to pass a comprehensive cybersecurity bill this year.