Cybercrime rates are rising. That part you probably knew. What you may not have known is that Congress is attempting to heighten public companies’ disclosure requirements for cyber security breaches. In October 2011, the SEC released guidance for cyber security reports intended to encourage companies to report “material risks” of concern to investors. However, the guidance is exactly as it sounds: guidance. Companies are currently not required to comply.

With hackers growing bolder in their target selection (previously infallible companies like Visa and MasterCard have recently been victims of cyber crime), Congress seeks to ensure that investors are aware of how cyber security risks affect companies’ bottom line. The financial repercussions of these breaches can be staggering: a UK company recently sustained $1.5 billion in revenue losses.

Thus, Senator Jay Rockefeller has added a measure to pending cyber security legislation requiring the SEC to clearly articulate when companies must disclose both security breaches and the procedure companies implement to protect their networks against further break-ins.

Just how effective these new requirements, if passed, will be is unclear. The consequences of cyber breaches are clear: dozens of Fortune 500 companies have lost or had exposed valuable information through cyber theft, including intellectual property, bank account information, pharmaceutical companies’ patient records, and internal legal documents, to name a few. Hackers, however, are increasingly difficult to identify, and the techniques they use are nearly impossible to anticipate. Therefore, Senator Rockefeller’s proposal will likely do little to reduce investors’ risk. In reality, if companies are required to over-report, investors will refrain from investing, thereby negatively impacting the economy.

The reality is that as hackers expand their expertise, investors are increasingly familiarizing themselves with the weaknesses of the Internet-based society in which we live. The reality is that cyber crime is not new. The Millennials, many of whom are currently entering the ranks of investors, have grown up knowing that online information storage is not necessarily as safe as we would prefer. In choosing to make use of and invest in these products, we account for the risks associated with such technology. Therefore, while updating cyber security legislation to require companies to account for data breaches will be informative, its utility is arguably restricted to the older generations still largely unacquainted with the openness of the Internet. As this population continues to age, these investors will increasingly be replaced by more tech-savvy investors that are more comfortable with the risks associated with companies’ Internet usage. Meanwhile, disclosure may unnecessarily compromise companies’ ability to generate revenue through investments. Consequently, while commendable, Senator Rockefeller’s amendments may be more harm than help.


— Swathi Padmanabhan

Image Source

Tagged with:

Comments are closed.