Senate Dems ask SEC to require firms to disclose cyber-attacks

Senate Commerce Chairman Jay Rockefeller (D-W.Va.) and several colleagues wrote to Securities and Exchange Commission Chairwoman Mary Schapiro on Wednesday arguing firms should be forced to disclose cyber-attacks that could affect earnings or give competitors' a leg-up in the marketplace.

The lawmakers ask the commission to issue guidance that clarifies firms must disclose any network breach that could jeopardize the firm's intellectual property or trade secrets in order to provide investors with full transparency.

"Our review of recent corporate disclosures suggest that material breach reporting, like information risk, is inconsistent and unreliable," wrote Rockefeller and Sens. Robert Menendez (D-N.J.), Mark Warner (D-Va.), Sheldon Whitehouse (D-R.I.) and Richard Blumenthal (D-Conn.).

"We are concerned that the lack of quality, public information in these matters enables an inefficient marketplace that devalues security and impairs investor decision-making."

The letter comes three weeks after a hacker attack on Sony brought down two online gaming networks and imperiled the personal data of more than 100 million consumers worldwide.

Sony's delay of almost a week before releasing details on the attacks prompted harsh criticism from many lawmakers, with Blumenthal calling for an investigation by the Department of Justice.

The letter argues firms should be required to disclose both attacks along with their information security risk, noting that a 2009 survey by insurance underwriter Hiscox found 38 percent of Fortune 500 companies didn't mention privacy or data security exposures in their public filings.

Many firms that do disclose their cybersecurity risks don't always take adequate steps to mitigate them, either.

---