A long overdue policy change to improve corporate governance on cybersecurity is taking effect.
At the end of July, the Securities and Exchange Commission adopted new rules requiring publicly traded companies and foreign private issuers to disclose material cybersecurity incidents; they are also required to annually update their cybersecurity risk management policies and governance. These companies are drivers of innovation and critical to the strength of the U.S. economy. It is in the public interest that they take corporate responsibility for their cybersecurity.
This guidance comes none too soon, as American businesses are under an unprecedented level of cyber threat. Compromises of personal data are a daily occurrence. Ransomware attacks are up and increasingly costly to address. Cyber theft of proprietary information is persistent. Foreign nations are installing malware to facilitate future malicious activity. And because of our perpetually increasing network integration (which fuels economic growth), the consequences of successful cyberattacks are also growing exponentially.
When we served together on the congressionally mandated
