WASHINGTON--Cyberattacks represent the "biggest systemic risk"
facing the U.S., though government officials may not be tackling
the range of cyber vulnerabilities in an optimal manner, Securities
and Exchange Commission Chairman Mary Jo White said.
Ms. White, speaking Friday in Washington, noted regulators,
law-enforcement agencies and public companies have scrambled to get
a better handle on cyberthreats with wide-ranging implications to
national security and the economy.
While she said those efforts are good, she added she is worried
there may still be gaps in how government officials are addressing
the issue.
"One of my major concerns about this area is nearly everybody
gets how high-level the risk and priority of this is," she said at
a conference sponsored by a mutual-fund group. "But who's really
got the ticket overall to make sure that it's all sort of coming
together in an optimal way? That's something we're still working on
I think in the government."
Concerns that hackers could wreak havoc on U.S. firms have
prompted industry, particularly Wall Street banks, to work closely
with the Federal Bureau of Investigation and other law-enforcement
agencies to boost cyberdefenses. Industry officials have said
adequately addressing the range of cyberattacks remains daunting, a
fact reinforced when J.P. Morgan Chase & Co. said that about 76
million households were affected by an attack on the bank last
summer. J.P. Morgan's disclosure followed significant intrusions at
Home Depot Inc., Adobe Systems Inc. and Target Corp.
Financial regulators have stepped up coordination, with top
policy makers meeting regularly on a panel convened by Treasury
Deputy Secretary Sarah Bloom Raskin, a committee Ms. White
referenced in her remarks.
At the SEC, some officials have pressured public companies to
voluntarily disclose more about breaches at their firms and the
agency has ramped up its scrutiny of Wall Street firms' responses
to the risks. The SEC in 2011 issued informal staff guidance saying
public companies should inform investors of "material" cyberrisks
and attacks, but it has left the definition of materiality vague
and the response hasn't been consistent across companies.
Top lawmakers have asked the SEC to do more to push companies to
disclose major breaches, saying current disclosures are
insufficient. Ms. White has said the current guidance has had a
positive impact on what companies tell their shareholders.
Talking openly about cyberthreats is controversial in the
business community because some executives fear it can make their
companies a target for hackers, and public statements can expose
firms to litigation.
Ms. White, in a tacit acknowledgment of those concerns, said
companies can share information with federal law-enforcement
officials outside the public-reporting process.
"Clearly there's a place for disclosure of cyber events that
isn't part of the public-company disclosure regime, but it's very,
very important that information gets to the right source in the
Department of Homeland Security, FBI, etc., and then that the
private sector is being informed "look out for this', "look out for
that'," she said.
Write to Andrew Ackerman at andrew.ackerman@wsj.com
Access Investor Kit for Adobe Systems, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US00724F1012
Access Investor Kit for The Home Depot, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US4370761029
Access Investor Kit for JPMorgan Chase & Co.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US46625H1005
Access Investor Kit for Target Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US87612E1064
Subscribe to WSJ: http://online.wsj.com?mod=djnwires