The Securities and Exchange Commission (SEC) issued new guidance in February, urging senior executives and board members to pay closer attention to cybersecurity. However, while the recommendations are more stringent than previous ones, they don’t go far enough and lack teeth, critics say.
In a set of recommendations about disclosures of cybersecurity risks back in 2011, the SEC said that companies need to “disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” However, the agency clarified that this did not require businesses to talk about specific technical details of those risks. In addition, the earlier guidance suggested that the SEC would not enforce any of its cybersecurity recommendations.
In the future, the SEC would consider enforcement actions if the companies ignored the recommendations, but there was no sign of that enforcement in the new guidance. In fact, critics say that it doesn’t offer much more than the original 2011 recommendations did.
Read more about why those who hoped that, post Equifax, the US Securities and Exchange Commission would impose tougher rules (and consequences for breaking them) around reporting breaches, will be disappointed, on CSO.