"I don't think the commission should be going overboard," said
Roberta Karmel, a professor at Brooklyn Law School, told a U.S.
Securities and Exchange Commission (SEC) cyber security panel
"I am not sure the SEC is the agency that really should be pushing
companies to do more by requiring more disclosure of breaches and
other kinds of information that aren't material."
The SEC convened the cyber security event after a recent series of
high-profile data breaches at companies like Target Corp and Neiman
Those incidences sparked major public policy debates, including on
how customers should be alerted, who should bear the cost of
breaches, and how such information should be disclosed both to
government and the public.
The SEC has also come under considerable political pressure to take
additional steps to require public companies to disclose more
information about cyber threats to investors.
It issued informal staff-level guidance in 2011 to help public
companies decide when and how cyber events should be disclosed.
Since then, it has written to more than 50 companies seeking
clarification on cyber-related disclosures.
Some panelists said they worry going beyond the current cyber
security disclosures could adversely impact companies, and it may
not be possible to strike the right balance.
Companies that over share information, for instance, could become
targets of shareholder suits and regulatory probes, experts said.
In some cases, federal law enforcement agencies like the FBI also
tell companies they cannot reveal information about cyber attacks,
putting public companies in a difficult position.
"There are circumstances where federal government agencies will show
up and say ... it is classified so you can't talk about it," said
Leslie Thornton, vice president and general counsel for WGL
Holdings, Inc. and Washington Gas Light Company.
[to top of second column]
U.S. lawmakers have been contemplating legislation to provide
clarity about how notifications should be made, but so far Congress
has not been able to pass any cyber security bills.
Some experts say the SEC needs to do more, whether to issue more
formal commission-level guidance or take steps to ensure companies
are disclosing more material incidents to investors.
Jonas Kron, a senior vice president and director of shareholder
advocacy at Trillium Asset Management LLC, told the SEC on Wednesday
he felt the cyber threat disclosures he has seen since the 2011
guidance were still inadequate.
"Unfortunately, I think we are seeing a lot of boiler plate"
disclosures, Kron said. "That is the honest truth of what we are
seeing, and that is really unfortunate."
SEC commissioners did not offer any views on what, if anything, the
SEC should do regarding cyber threat disclosures.
However, one SEC commissioner, Democrat Luis Aguilar, called for it
to consider forming an interagency cyber security task force to help
inform the SEC's thinking.
"The increased pervasiveness and seriousness of the cyber security
threat raises questions about whether more should be done to ensure
the proper functioning of the capital markets and the protection of
investors," he said.
(Reporting by Sarah N. Lynch; editing by Sophie Hares)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.