WASHINGTON (Reuters) - Investigators at the U.S. Securities and Exchange Commission are on the lookout for violations such as poor risk controls or lax disclosures relating to hacking and other cyber breaches, a top SEC official said Friday.
“Cyber security... is an area where we have not brought a significant number of cases yet, but is high on our radar screen,” David Glockner, director of the SEC’s Chicago Regional Office, said at the Practising Law Institute’s annual SEC Speaks conference.
U.S policymakers have been paying close attention to cyber security over the past few years, in the wake of high-profile attacks against public companies like Target and Home Depot, as well as banks such as JP Morgan Chase.
In 2011, the SEC drafted some informal staff-level guidance for public companies on whether to disclose cyber attacks and their impact on a company’s financial condition.
There is no formal rule, however, outlining when and how cyber incidents must be disclosed, and states have differing laws on when and how customers must be informed about breaches.
Some have said the SEC should consider taking more steps to require public companies to disclose major breaches more quickly, though SEC Chair Mary Jo White has previously said the cyber security guidance appears to be working well.
Last year, the SEC also made cyber security a priority in its compliance examination program. As part of that, examiners looked at policies that brokers and asset managers have in place to prevent and detect cyber attacks, as well as how they conduct due diligence to review third-party vendors.
Glockner said Friday the SEC was looking particularly at two areas.
One is the cyber security controls that companies have in place to protect market integrity. The other, he said, is how adequately companies are disclosing “material” cyber events.
He said the enforcement division was working closely with SEC examiners to share and coordinate on the topic.
Editing by Bernadette Baum