The Securities and Exchange Commission (SEC) issued new guidance in February, urging senior executives and board members to pay closer attention to cybersecurity. However, the recommendations, while more stringent than what was in place before, don’t go far enough, critics say, and, more importantly, lack teeth.
No consequences for failure
In a set of recommendations about disclosures of cybersecurity risks back in 2011, the SEC said that companies need to “disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”
The agency clarified that this did not require businesses to talk about specific technical details of those risks. As a result, the disclosures that companies did make were not particularly useful, according to a 2014 study by PricewaterhouseCoopers and the Investor Responsibility Research Center Institute. Instead, the disclosures “rarely provide differentiated or actionable information for investors.”