A new line of defense in cybersecurity, with help from the SEC

[Commentary] We have been in enough classified briefings over the years to know the details of the most significant threats to our national security and our way of life. One vulnerability in particular keeps us up at night: the state of our nation’s cybersecurity. The directors of national intelligence under President George W. Bush and President Obama have called cyberattack the greatest long-term threat to our nation. Adm. Mike Mullen, the former chairman of the Joint Chiefs of Staff, has put it even more starkly, saying that cyberattacks pose one of only two existential threats to the United States.

On Oct. 13, the Securities and Exchange Commission issued groundbreaking guidance to clarify companies’ disclosure obligations about material cybersecurity risks and events. Federal securities law has long required publicly traded companies to report “material” risks and events — that is, information that the average investor would want to know before making an investment decision. But before the SEC’s action, many companies were not aware how — or perhaps even if — this duty applied to cybersecurity information. In fact, a Senate Commerce Committee review of past corporate disclosures suggested that a significant number of companies have not reported these risks for years. Make no mistake: Our country is under cyberattack, and our national security and economic future are at severe risk. We believe that the SEC’s guidance — and the market-driven changes it will create in the way that the private sector considers risks — is a critical step toward improving U.S. cybersecurity.