As SEC officials debate stronger actions to require public companies to disclose preparations for cybersecurity risks and incidents, the pressure is on institutional investors to keep pushing, industry sources said.
The Securities and Exchange Commission voted unanimously on Feb. 21 to update its 2011 guidance for public companies that aimed to tell public companies how to disclose cybersecurity risks and procedures. SEC Chairman Jay Clayton said the update "will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors."
The update added two topics: the importance of having cybersecurity policies and procedures in place, and bans on stock trading by board members and executives after a cybersecurity incident.
For the two Democratic commissioners, Kara Stein and Robert Jackson Jr., the action was underwhelming.
"The bottom line on cybersecurity is, companies are under attack 24 hours a day, seven days a week. This is a war right now," Mr. Jackson said in an interview. He likened the SEC guidance to bringing a whiffle-ball bat to a Major League Baseball game.
Four days earlier, the White House Council of Economic Advisers raised its own alarm in a report, saying that firms are not investing enough to prevent and evaluate the risk of cybersecurity attacks, and that regulators need to do more to get public companies to up their cybersecurity prevention game. In the case of public companies, the CEA found, companies lost an average 0.8% of their market value after a cyber event. Investors should be made aware of the risk, and all registered firms, including private funds, should make cybersecurity a compliance priority, the report authors said.