https://www.lawfareblog.com/sec-and-cybersecurity-regulation
By Nathaniel Sobel
Lawfare
November 19, 2018
American companies are getting hacked, and the Securities and Exchange
Commission wants corporate executives to do something about it. According
to a White House Council of Economic Advisers report released earlier this
year, malicious cyber activity cost the U.S. economy between $57 billion
and $109 billion in 2016. The report acknowledged a widely recognized root
of the problem: "[C]yberattacks and cyber theft impose externalities that
may lead to rational underinvestment in cybersecurity by the private
sector relative to the socially optimal level of investment."
But despite outrage and hearings in Congress after major breaches, like
the Equifax hack disclosed last year, Congress has not passed new
legislation. There is no current central federal mandate that offers
protections for personal data. Instead as a legal treatise puts it, the
U.S. "has a patchwork system of federal and state laws and regulations
that can sometimes overlap, dovetail and contradict one another."It's in
that context that the Securities and Exchange Commission (SEC) has, under
its authority of enforcing the federal securities laws, steadily increased
its regulation of cybersecurity-related matters. A top SEC official said
last year that: "The greatest threat to our markets right now is the cyber
threat." And SEC Chairman Jay Clayton told the Senate Banking Committee
that in regard to cyber attacks, companies "should be disclosing more" and
that there should be "better disclosure about their risk portfolios and
sooner disclosures about intrusions." In another statement, Clayton
announced:
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
