WASHINGTON, D.C.—Chairman John D. (Jay) Rockefeller IV released the following statement after the U.S. Securities and Exchange Commission (SEC) issued guidance on its views regarding company disclosure obligations relating to cybersecurity risks and cyber incidents:

“This guidance fundamentally changes the way companies will address cybersecurity in the 21^st century.  For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them.  Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark.  This guidance changes everything.  It will allow the market to evaluate companies in part based on their ability to keep their networks secure.  We want an informed market and informed consumers, and this is how we do it.  I asked the SEC about this because these companies are required under law to report these incidents.  I am very pleased the SEC listened and took my requested action.”

The SEC’s guidance can be found here.

Background:

Earlier this year, Chairman Rockefeller sent a letter to SEC Chairwoman Mary Schapiro calling on the Commission to clarify corporate disclosure requirements for cybersecurity breaches so that the American public can learn more about when hackers make efforts to penetrate companies’ computer systems. 

Cyber risk management is a critical corporate responsibility.  Federal securities law requires publicly traded companies to disclose “material” risks and events, including cyber risks and network breaches.  A review of past disclosures suggests that a significant number of companies are failing to meet these requirements.  The SEC has longstanding authority to publish guidance to clarify corporate responsibilities, protect investors, and promote fair and efficient markets. 

Chairman Rockefeller is a lead sponsor of comprehensive legislation to address America’s vulnerability to cybercrime and attacks. 

###