Sen. Jay Rockefeller, D-W.Va., is adding stronger reporting requirements to cybersecurity legislation, which would replace the current voluntary guidelines for when companies should report things like customer data breaches to the SEC, according to an article on sfgate.com.
Voluntary Disclosure Guidelines Not Effective
Apparently, the current voluntary disclosure guidelines are not sufficiently motivating public companies to disclose how cybersecurity risks might affect their bottom lines.
For example (according to the article), Amazon omitted references from its 2011 annual report that customer data held by Zappos, its online shoe company, was stolen. Amazon apparently changed the report after the SEC objected. But, Amazon continued to claim that the breach had no material impact on its business and was thus not even subject to voluntary disclosure.
To help the public make investment decisions, the law would require companies to disclose cyber breaches and describe what measures they are taking to protect from future electronic intrusions.