| WASHINGTON, June 10
WASHINGTON, June 10 Public companies that are
victims of cyber attacks should consider disclosing additional
information beyond what's required to help protect customers
whose private data could be at risk, a top U.S. regulator said
U.S. Securities and Exchange Commission member Luis Aguilar
made his plea to public companies and their boards in a speech
at the New York Stock Exchange.
"I would encourage companies to go beyond the impact on the
company and to also consider the impact on others," Aguilar, a
Democrat, said in prepared remarks.
"It is possible that a cyber-attack may not have a direct
material adverse impact on the company itself, but that a loss
of customers' personal and financial data could have devastating
effects on the lives of the company's customers and many
Americans. In such cases, the right thing to do is to give these
victims a heads-up so that they can protect themselves."
Aguilar's comments come in the wake of several high-profile
cyber attacks against companies including Adobe Systems Inc
and Target Corp.
Those incidents have sparked major public policy debates in
Washington, D.C. among law enforcers, regulators and lawmakers
over how customers should be alerted, who should bear the cost
of breaches, and how such information should be disclosed both
to government and the public.
Federal securities laws do not specifically address cyber
security breaches but merely call for the disclosure of
information that is "material" to companies' profits.
In 2011, the SEC released guidance to help companies better
determine when and how to disclose cyber security events. Since
then, some have urged the SEC to take additional steps.
Earlier this year, at Aguilar's request, the SEC held a
roundtable and solicited feedback from other government offices,
cyber experts and financial industry officials.
In his speech, Aguilar urged company boards to be more
involved in risk management oversight.
"Evidence suggests that there may be a gap that exists
between the magnitude of the exposure presented by cyber-risks
and the steps, or lack thereof, that many corporate boards have
taken to address these risks," he said.
He said boards should put "time and resources" into making
sure management has developed response plans outlining how cyber
attacks will be disclosed.
(Editing by Bernadette Baum)