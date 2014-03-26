By Sarah N. Lynch
| WASHINGTON, March 26
WASHINGTON, March 26 Cyber experts urged U.S.
securities regulators on Wednesday to tread carefully when
requiring companies to disclose security breaches and cyber
threats, saying giving too much information may leave them
vulnerable to hackers or legal action.
"I don't think the commission should be going overboard,"
said Roberta Karmel, a professor at Brooklyn Law School, told a
U.S. Securities and Exchange Commission (SEC) cyber security
panel discussion.
"I am not sure the SEC is the agency that really should be
pushing companies to do more by requiring more disclosure of
breaches and other kinds of information that aren't material."
The SEC convened the cyber security event after a recent
series of high-profile data breaches at companies like Target
Corp and Neiman Marcus Group.
Those incidences sparked major public policy debates,
including on how customers should be alerted, who should bear
the cost of breaches, and how such information should be
disclosed both to government and the public.
The SEC has also come under considerable political pressure
to take additional steps to require public companies to disclose
more information about cyber threats to investors.
It issued informal staff-level guidance in 2011 to help
public companies decide when and how cyber events should be
disclosed. Since then, it has written to more than 50 companies
seeking clarification on cyber-related disclosures.
Some panelists said they worry going beyond the current
cyber security disclosures could adversely impact companies, and
it may not be possible to strike the right balance.
Companies that over share information, for instance, could
become targets of shareholder suits and regulatory probes,
experts said.
In some cases, federal law enforcement agencies like the FBI
also tell companies they cannot reveal information about cyber
attacks, putting public companies in a difficult position.
"There are circumstances where federal government agencies
will show up and say ... it is classified so you can't talk
about it," said Leslie Thornton, vice president and general
counsel for WGL Holdings, Inc. and Washington Gas Light
Company.
PERVASIVE THREAT
U.S. lawmakers have been contemplating legislation to
provide clarity about how notifications should be made, but so
far Congress has not been able to pass any cyber security bills.
Some experts say the SEC needs to do more, whether to issue
more formal commission-level guidance or take steps to ensure
companies are disclosing more material incidents to investors.
Jonas Kron, a senior vice president and director of
shareholder advocacy at Trillium Asset Management LLC, told the
SEC on Wednesday he felt the cyber threat disclosures he has
seen since the 2011 guidance were still inadequate.
"Unfortunately, I think we are seeing a lot of boiler plate"
disclosures, Kron said. "That is the honest truth of what we are
seeing, and that is really unfortunate."
SEC commissioners did not offer any views on what, if
anything, the SEC should do regarding cyber threat disclosures.
However, one SEC commissioner, Democrat Luis Aguilar, called
for it to consider forming an interagency cyber security task
force to help inform the SEC's thinking.
"The increased pervasiveness and seriousness of the cyber
security threat raises questions about whether more should be
done to ensure the proper functioning of the capital markets and
the protection of investors," he said.
(Reporting by Sarah N. Lynch; Editing by Sophie Hares)