Congress May Impose Cybersecurity Reporting Requirements
With cyberattacks on the rise and some companies still unprepared to deal with the aftermath, Congress may get involved by requiring public companies to file cyber reports with the Securities and Exchange Commission (SEC).
The Internet remains one of the last unregulated frontiers and many who use it to make money would prefer to see it stay that way. However, some members of Congress believe that the chief executive officers need to take a more active role in knowing whether their company is prepared for information systems failure. Thus, the potential reporting requirement.
"The government has essentially relied on the voluntary efforts of industry both to make less buggy software and make systems more resilient," Michael Vatis, former director of the National Infrastructure Protection Center at the FBI told the New York Times. "What we're seeing is that those voluntary efforts are insufficient, and the repercussions are vast."
Rep. Adam Putnam (R-FL), chair of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, is reportedly considering introducing legislation later this year to address the knowledge gap that occurs when no one tracks just how far reaching the results of cyberattacks can be. The reporting requirement would go a long way toward filling that gap.
While the primary focus of Congress’ Internet attention will stay on anti-spam legislation, the subcommittee will consider cybersecurity reporting that could parallel the reporting requirements laid out by the 2002 Sarbanes-Oxley Act.
Experts say that Congress should avoid a “one size fits all” law, since a variety of uses and requirements exist among corporations.
"Different companies have different security needs and different risks. So it's impossible to set up a mandate for everyone,” Daniel Burton, vice president of government affairs for security vendor Entrust, told PC World.