Senators Ask SEC to Issue IT Security GuidanceMany Companies Don't Report IT Security Risk to Investors
The letter comes weeks after a rash of security breaches at storage vendor EMC's RSA security division, Alliance Data's Epsilon e-marketing unit and Sony's PlayStation service.
In a letter to SEC Chairwoman Mary Schapiro, the senators said a substantial number of companies do not report their information security risk to investors, citing a 2009 survey that found that 38 percent of Fortune 500 companies made a "significant oversight" by not mentioning privacy and data security exposures in their public filings.
The senators - Jay Rockefeller of West Virginia, Robert Menendez of New Jersey, Sheldon Whitehouse of Rhode Island, Mark Warner of Virginia and Richard Blumenthal of Connecticut - said they reviewed recent corporate disclosures of exposures to IT security risks, but many companies failed to address adequately and mitigate the risks. "We found statements ranging from boilerplate descriptions of risk to details of specific attacks," the senators wrote. "We did not, however, find information on steps taken by the corporations to reduce risk exposure."
They said they believe many leaders of publicly traded companies might not fully understand their obligation to disclose information on potentially compromised intellectual property and trade secrets. "Material breach reporting, like information risk, is inconsistent and unreliable," the letter said. "We are concerned that the lack of quality, public information in these matters enables an inefficient marketplace that devalues security and impairs investor decision-making."
Specifically, the senators call on the SEC to develop and publish interpretive guidance clarifying existing disclosure requirements concerning IT security risk and breaches involving intellectual property and trade secrets. They also asked the SEC to examine the importance of credit agencies and security analysts incorporating evidence of IT security risk in their assessments of companies and investment products. "This guidance, undertaken using longstanding commission legal authority, will enhance investor and corporate awareness of information security risk," the senators wrote, "thus improving the national and economic security of our nation."