How safe is your company from hackers and all the other perils of an ever more tightly connected online world? The SEC is mulling over a proposal to require public firms to outline what they're doing to minimize these risks.
Among those discussing such disclosures with the SEC is the Department of Homeland Security. "What are you doing about your security-physical and cyber?" asks Secretary of Homeland Security Tom Ridge. "Tell your shareholders; tell your employees; tell the communities within which you operate."
"Our critical [cyber] infrastructure must have the same level of protection as our waterways, bridges, railways, streets and borders if we are to be secure," says Rep. Adam H. Putnam (R-FL). He adds that many of those running key operations have failed "to take the threat seriously, to receive adequate training, and to take the steps needed to secure their networks." Putnam, chair of the House Committee on Government Reform's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, initiated the discussion of publicizing cybersecurity measures and is considering legislation to force the SEC's hand if needed.
"We're trying to elevate the whole issue of information security to the CEO level," explains Bob Dix, the Subcommittee's staff director. "It's still viewed as a technical as opposed to a management issue. There needs to be a wake-up call." Reporting requirements would not be onerous, consisting of a checklist covering items such as critical IT assets, says Dix. The checklist would appear in standard documents such as annual reports. Privately held firms would be exempt, but Dix expects a trickledown effect-not only will smaller firms consider taking the same security steps, but those that partner with big firms may have to upgrade their defenses sooner rather than later.
"Some people resist any kind of government role in the market," Dix acknowledges, and security experts have suggested the federal government should focus on security research or setting security standards for the software it purchases. But so far, Dix says, the reporting proposal has raised little opposition.