Cyberattacks Represent Top Risk, SEC Chief Says
Cyberattacks represent the "biggest systemic risk" facing the U.S., though government officials may not be tackling the range of cyber vulnerabilities in an optimal manner, Securities and Exchange Commission Chairman Mary Jo White said.
Ms. White, speaking Friday in Washington, noted regulators, law-enforcement agencies and public companies have scrambled to get a better handle on cyberthreats with wide-ranging implications to national security and the economy.
While she said those efforts are good, she added she is worried there may still be gaps in how government officials are addressing the issue.
"One of my major concerns about this area is nearly everybody gets how high-level the risk and priority of this is," she said at a conference sponsored by a mutual-fund group. "But who's really got the ticket overall to make sure that it's all sort of coming together in an optimal way? That's something we're still working on I think in the government."
Concerns that hackers could wreak havoc on U.S. firms have prompted industry, particularly Wall Street banks, to work closely with the Federal Bureau of Investigation and other law-enforcement agencies to boost cyberdefenses. Industry officials have said adequately addressing the range of cyberattacks remains daunting, a fact reinforced when J.P. Morgan Chase & Co. said that about 76 million households were affected by an attack on the bank last summer. J.P. Morgan's disclosure followed significant intrusions at Home Depot Inc., Adobe Systems Inc. and Target Corp.
Financial regulators have stepped up coordination, with top policy makers meeting regularly on a panel convened by Treasury Deputy Secretary Sarah Bloom Raskin, a committee Ms. White referenced in her remarks.
At the SEC, some officials have pressured public companies to voluntarily disclose more about breaches at their firms and the agency has ramped up its scrutiny of Wall Street firms' responses to the risks. The SEC in 2011 issued informal staff guidance saying public companies should inform investors of "material" cyberrisks and attacks, but it has left the definition of materiality vague and the response hasn't been consistent across companies.
Top lawmakers have asked the SEC to do more to push companies to disclose major breaches, saying current disclosures are insufficient. Ms. White has said the current guidance has had a positive impact on what companies tell their shareholders.
Talking openly about cyberthreats is controversial in the business community because some executives fear it can make their companies a target for hackers, and public statements can expose firms to litigation.
Ms. White, in a tacit acknowledgment of those concerns, said companies can share information with federal law-enforcement officials outside the public-reporting process.
"Clearly there's a place for disclosure of cyber events that isn't part of the public-company disclosure regime, but it's very, very important that information gets to the right source in the Department of Homeland Security, FBI, etc., and then that the private sector is being informed "look out for this', "look out for that'," she said.