WASHINGTON (Reuters) - Securities and Exchange Commission Chairman Mary Schapiro said this week she will “seriously consider” issuing additional guidance outlining when public companies should disclose cybersecurity breaches.
“Although we are not aware that investors have asked for more disclosure in this area, I have asked the commission staff to provide me with a briefing on current disclosure practices,” Schapiro said in a letter to Senator John Rockefeller dated June 6 and released publicly on Wednesday.
“As we further analyze this issue, we will seriously consider your request for interpretive guidance.”
Schapiro’s decision to explore the issue follows a recent spate of high-profile hacks and data losses. Hacking victims have included defense contractor Lockheed Martin and search giant Google Inc.
Although public companies are required by law to disclose “material” risks and events that would be considered important for investors to know about, Rockefeller said he was concerned that many companies fail to disclose information security risks.
In a letter to Schapiro last month, Rockefeller cited a 2009 survey by specialty insurer Hiscox that found 38 percent of Fortune 500 companies failed to mention privacy or data security breaches in public filings.
In addition, he said the quality of the disclosures that are made may not be enough. Some only provide “boilerplate descriptions” and often fail to mention what steps the company has taken to reduce the risk.
He asked the SEC to consider publishing interpretive guidance on disclosing material security breaches involving intellectual property or trade secrets.
Additional reporting by Diane Bartz and Jeremy Pelofsky; Editing by Steve Orlofsky