The Securities and Exchange Commission is advancing measures that would require publicly owned companies to disclose more information about their cybersecurity vulnerabilities, including data breaches.
The requirements could put pressure on companies to tighten their own security, because the SEC rules would let the public know how well firms are securing their private information.
On Tuesday, the White House launched a new initiative to encourage greater sharing of cyber threat information among government agencies and the private sector following a spate of high profile attacks and data breaches at major companies, including Sony and Home Depot.
Its a harbinger of whats to come, and I think it will change the way companies think about and report on cyber, said Norma Krayem, a lobbyist with Squire Patton Boggs and co-chairman of the firms cybersecurity industry group.
Firms worried the information they are providing to the SEC could be used for shareholder lawsuits are likely to look for ways to tighten their controls.
Experts say thats why the SEC could play a huge role in strengthening cybersecurity.
Its becoming more and more a consumers market, which is good for the country. said Kim Phan, a Ballard Spahr attorney who advises companies on their SEC filings. But theres a lot more risk to companies.
Lawmakers have helped nudge the agency along the past few years.
Its kind of a recent trend that Congress seems to think federal security laws should cover absolutely everything that goes on in terms of the conduct at public companies, said Roberta Karmel, a former SEC commissioner and now a professor at Brooklyn Law School.
Since 2011, former Senate Commerce Committee Chairman Jay Rockefeller (D-W.Va.) now retired has been prodding the SEC to require increased disclosure about cybersecurity failures and risks. Rockefeller escalated his call in 2013.
Disclosures are generally still insufficient for investors to discern the true costs and benefits of companies cybersecurity practices, he said in an April 2013 letter to SEC head Mary Jo White.
But Congress took its biggest step to direct the SEC on cybersecurity in last months budget, passed during the lame-duck session. The bill compelled the agency to report back on modernizing cybersecurity disclosures. It was unique, many said, for lawmakers to publicly direct the SEC in this fashion.