At a hearing on March 4 before the U. S. Senate Judiciary Committee, Department of Justice (DoJ) Deputy Assistant Attorney General for National Asset Protection in the National Security Division Adam Hickey called upon Congress to enact legislation that would create a uniform nationwide data breach disclosure law and include a requirement that companies report breaches not just to customers but also to law enforcement.
Increasing cyber security disclosures are an important step in increasing much needed transparency into how companies are managing their digital technology. Investors currently have very little visibility into the cyber governance of most companies, and disclosure mandates such as the one under discussion would bring more clarity to the threats that companies face, and to the critical question of whether individual companies are underinvesting in cybersecurity. And while the awareness about the importance of—and capital allocations to—cybersecurity amongst C-Suites has greatly increased in recent years, if companies are mandated to disclose known breaches it would likely bring even greater focus and resources to this critical issue. We say ‘known’ breaches because a large number of actual breaches go undetected altogether by companies. But, if enacted, this would be a positive step nonetheless.
Cyberhedge data shows clearly that the stock prices of companies with poor cyber governance underperform their peers. Encouraging improved cybersecurity at the individual company is therefore a very appropriate systemic issue for governments to address, and at a minimum, increasing disclosure requirements are long overdue. And even though most cyber breaches go undetected, the more attention and resources that are devoted to the issue, the better security—and protection of company assets—will become.