Proposed cyber security legislation, notably bills relating to a federal data breach notification standard, has been slow moving in the halls of Congress. While measurable progress has been made on some legislative pushes -- recently evidenced by the Senate Intelligence Committee’s passage of Sen Dianne Feinstein’s cyber threat information sharing bill -- it would be a stretch to say that lawmakers are currently influencing how private industry addresses this issue.
Yet the slow pace of legislation does not mean that Washington has kept quiet about the importance of IT security in today’s business environment. The SEC (Securities & Exchange Commission) has been increasingly vocal about the importance of corporate cyber security. Last month, SEC Commissioner Luis Aguilar called on corporate boards to take steps to include cyber issues in overall risk management decisions made at the board level. This guidance echoes last year’s alert, issued by the SEC’s Office of Compliance Inspections & Examinations, which outlined policies and procedures that companies should adopt to be in compliance.
The SEC has also been positioning itself as a key regulator for corporate cyber security issues, having sent letters to companies in the past for not following disclosure guidelines. And, as one article on the subject notes, while technically not a ruling, the SEC has the ability to levy fines against companies that have not followed their disclosure guidelines. Perhaps more illuminating are suggestions that the SEC considers corporate culture of cyber security in their investigations. This means that companies who proactively disclose to investors and show a commitment to transparency, “could help avoid SEC enforcement actions — or at least mitigate penalties.”
This adoption of cyber security as a critical regulatory issue for the SEC demonstrates that this regulatory body sees network and information sharing continuity as a cornerstone to the functioning of the financial markets. In short, cyber issues are business issues.
