6.5: Cyber Attack Information
Consider networks for sharing information or improved reporting requirements for publicly-traded companies that have been
victims of cyber attacks.
Other Information:
We should consider networks for sharing information or improved reporting requirements for publicly-traded companies that
have been victims of cyber attacks. New guidelines issued in October 2011 direct public companies to review "adequacy of their
disclosure relating to cybersecurity risks and cyber incidents," but these non-binding guidelines are not adequate. Firms
can report general declarations of vulnerability or discussions of a threat environment, without revealing and being held
accountable for specific losses. While it is important not to interfere with law enforcement and forensic investigations,
firms that do not face short-run costs from successful attacks are much less likely to invest adequate resources in preventing
them. This is particularly important for the theft of strategic information, which can have a cumulative effect for the American
innovation-based economy. If no one reports serious data theft, policy makers will lack the necessary information to understand
the threat of cyberespionage and be in a position to respond accordingly, both domestically and internationally.
Indicator(s):
|
