A new line of defense in cybersecurity, with help from the SEC
By Jay Rockefeller and Michael Chertoff,
We have been in enough classified briefings over the years to know the details of the most significant threats to our national security and our way of life. One vulnerability in particular keeps us up at night: the state of our nation’s cybersecurity.
The directors of national intelligence under President George W. Bush and President Obama have called cyberattack the greatest long-term threat to our nation. Adm. Mike Mullen, the former chairman of the Joint Chiefs of Staff, has put it even more starkly, saying that cyberattacks pose one of only two existential threats to the United States. Russia’s nuclear weapons constitute the other — and amount to a threat that, Mullen says, is under control.
You don’t have to be in classified briefings to understand why the cyberthreat is so severe. The computer systems that run our critical infrastructure — the utilities, transportation, telecommunications and financial networks on which our society depends — are increasingly interconnected and highly vulnerable to disruption. Overt attacks on these systems would be frightening, but the constant electronic theft of intellectual property that has silently occurred over the past several years has already caused significant harm to our national and economic security. Hackers have penetrated every kind of corporate network imaginable — from defense contractor databases containing important security information to business systems containing sensitive data and trade secrets. Cybercriminals are stealing American ideas, research, formulas, source code, negotiation plans, designs and blueprints on a massive scale.
For years Congress and the executive branch have debated the roles and responsibilities of the private sector and the U.S. government in cyberspace. While the government can and should share information with the private sector about potential and ongoing attacks, as well as best practices for defending against the most sophisticated of attacks, the traditional models of nation-state defense simply do not neatly apply to a virtual and privately owned environment. Managing cybersecurity risk has always been, and always will be, in large part a private sector responsibility. Simply put, it is a cost of doing business in the 21st century.
Until recently, this responsibility may have been unclear — or unknown — to the directors and officers of publicly traded companies. But on Oct. 13, the Securities and Exchange Commission issued groundbreaking guidance to clarify companies’ disclosure obligations about material cybersecurity risks and events.
Federal securities law has long required publicly traded companies to report “material” risks and events — that is, information that the average investor would want to know before making an investment decision. But before the SEC’s action, many companies were not aware how — or perhaps even if — this duty applied to cybersecurity information. In fact, a Senate Commerce Committee review of past corporate disclosures suggested that a significant number of companies have not reported these risks for years.
This SEC guidance is critical because it allows market participants to weigh cybersecurity as an investment factor. It is generally understood that disclosing material breaches — such as the significant loss of a company’s intellectual property — will affect the value of a company, because existing or potential investors will reconsider their investment decisions. Without detailed public information about these events, investors are unaware of the risks to which companies are exposed. And without pressure from investors, corporate officers are less likely to change their risk-management practices.
The SEC guidance will fundamentally alter this equation by raising questions that historically have not been asked at many U.S. companies. Businesses will now have to consider, among other things, what constitutes a material cybersecurity breach and how to disclose such events to investors; how the value of intellectual property is measured; whether appropriate defenses are in place around that property; and whether risks are being appropriately mitigated, through defensive technologies or appropriate insurance coverage.
The SEC guidance does not provide answers to these questions, nor should it. Cyberthreats, technologies and risks are ever evolving, and so too must be a company’s answers to these questions. But armed with this guidance, investors will begin demanding answers.
Make no mistake: Our country is under cyberattack, and our national security and economic future are at severe risk. We believe that the SEC’s guidance — and the market-driven changes it will create in the way that the private sector considers risks — is a critical step toward improving U.S. cybersecurity.
Jay Rockefeller is a Democratic senator from West Virginia. Michael Chertoff was secretary of homeland security in the George W. Bush administration.