U.S. Sen. Jay Rockefeller wants to strengthen SEC legislation that requires publicly traded companies disclose significant digital security breaches, mainly because most aren’t.
The chairman of the Senate Commerce, Science and Transportation Committee last week added a provision to cybersecurity legislation that would direct the SEC to clarify when companies must disclose data breaches.
Rockefeller, D-W.Va., sought the provision after several corporations failed to disclose high-profile thefts last year to the SEC, claiming their cases either were exempt or that they minimally met the spirit of the law. According to the Associated Press, those include hotel giant Wyndham Worldwide Corp. and Amazon, which owns online retailer Zappos.com. Both companies suffered attacks — in Wyndham’s case, three in the past two years — that put hundreds of thousands of customers at risk. Both also did not mention those security events in annual corporate filings.
Amazon claimed because the Zappos customer data breach didn’t impact Amazon’s business, it didn’t meet the “material risk” threshold. Wyndham told the AP it fully complied with SEC regulations in regards to the disclosure of material events. It didn’t mention the breaches in SEC filings, but it did publish a notice to customers on its corporate Web site.
SEC guidelines issued last October outline disclosure obligations when a cybercrime’s committed. Though not compulsory, they suggest companies treat cybersecurity violations like other business risks since they could result in lost revenues and litigation that shareholders deserve to know. The guidance also recommends companies be upfront with investors but not necessarily provide enough information to risk more attacks.
“The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision,” it states. “Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.”
Given such corporate disclosures remain rare, Rockefeller hopes the clarifications will compel more companies to comply with cybercrime filing requirements under the new SEC rule.