WASHINGTON (Reuters) - Public companies that are victims of cyber attacks should consider disclosing additional information beyond what’s required to help protect customers whose private data could be at risk, a top U.S. regulator said Tuesday.
U.S. Securities and Exchange Commission member Luis Aguilar made his plea to public companies and their boards in a speech at the New York Stock Exchange.
“I would encourage companies to go beyond the impact on the company and to also consider the impact on others,” Aguilar, a Democrat, said in prepared remarks.
“It is possible that a cyber-attack may not have a direct material adverse impact on the company itself, but that a loss of customers’ personal and financial data could have devastating effects on the lives of the company’s customers and many Americans. In such cases, the right thing to do is to give these victims a heads-up so that they can protect themselves.”
Aguilar’s comments come in the wake of several high-profile cyber attacks against companies including Adobe Systems Inc and Target Corp.
Those incidents have sparked major public policy debates in Washington, D.C. among law enforcers, regulators and lawmakers over how customers should be alerted, who should bear the cost of breaches, and how such information should be disclosed both to government and the public.
Federal securities laws do not specifically address cyber security breaches but merely call for the disclosure of information that is “material” to companies’ profits.
In 2011, the SEC released guidance to help companies better determine when and how to disclose cyber security events. Since then, some have urged the SEC to take additional steps.
Earlier this year, at Aguilar’s request, the SEC held a roundtable and solicited feedback from other government offices, cyber experts and financial industry officials.
In his speech, Aguilar urged company boards to be more involved in risk management oversight.
“Evidence suggests that there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks,” he said.
He said boards should put “time and resources” into making sure management has developed response plans outlining how cyber attacks will be disclosed.
Editing by Bernadette Baum