According to a top SEC official, its investigators are looking for companies with poor risk controls lax standards on data breach disclosures.
David Glockner, director of the SEC’s Chicago Regional Office, said “cyber security… is an area where we have not brought a significant number of cases yet, but is high on our radar screen.” A couple of years ago the SEC drafted informal recommendations for “public companies on whether to disclose cyber attacks and their impact on a company’s financial condition.”. However, there are no rules on how or when cyber incidents must be reported and virtually every state has different rules about data breach notification.
Reuters has the full story on the SEC’s future role in cybersecurity.