WASHINGTON--Cyberattacks represent the "biggest systemic risk"
facing the U.S., yet no one at the federal level is charged with
ensuring the risk is being addressed in an optimal way, Securities
and Exchange Commission Chairman Mary Jo White said Friday.
While regulators, law enforcement agencies and the private
sector have scrambled to address cybersecurity, Ms. White said she
is worried no one is "looking at the entire picture."
"Who's really got the ticket overall to make sure that it's all
sort of coming together in an optimal way?" she said, speaking at a
conference sponsored by the Investment Company Institute, a
mutual-fund industry group.
The comments come as some SEC officials have pressured public
companies to voluntarily disclose more about breaches at their
firms and as the agency ramps up its scrutiny of Wall Street firms'
responses to the risks. The SEC in 2011 issued guidance saying
public companies should inform investors of "material" cyber risks
and attacks, but it has left the definition of materiality
vague.
A review of about 100 brokerages and investment advisers last
year found that the vast majority reported cyberattacks directly or
through one or more vendors, according to a report released by
regulators earlier in February.
Concerns that hackers could wreak havoc on U.S. firms have
prompted industry, particularly Wall Street banks, to work closely
with the Federal Bureau of Investigation and other law enforcement
agencies to boost cyberdefenses.
Yet industry officials have said adequately addressing the rang
of cyberattacks remains daunting, a fact reinforced when J.P.
Morgan Chase & Co. said that about 76 million households were
affected by an attack on the bank last summer. J.P. Morgan's
disclosure followed significant intrusions at Home Depot Inc.,
Adobe Systems Inc and Target Corp.
In addition, talking openly about cyberthreats is controversial
in the business community because some executives fear it can make
their companies a target for hackers, and public statements can
expose firms to litigation.
Ms. White, in a tacit acknowledgment of those concerns, said
companies can share information with federal law-enforcement
officials outside the public-reporting process.
"Clearly there's a place for disclosure of cyber events that
isn't part of the public-company disclosure regime but it's very,
very important that information gets to the right source in the
Department of Homeland Security, FBI, etc., and then that the
private sector is being informed "look out for this', "look out for
that'," she said.
Write to Andrew Ackerman at andrew.ackerman@wsj.com
Access Investor Kit for Adobe Systems, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US00724F1012
Access Investor Kit for The Home Depot, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US4370761029
Access Investor Kit for JPMorgan Chase & Co.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US46625H1005
Access Investor Kit for Target Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US87612E1064
Subscribe to WSJ: http://online.wsj.com?mod=djnwires