Corporate America managed to thwart momentum this year for a law that would require public companies to report cyber-security plans to the Securities and Exchange Commission.
Eager to mollify lawmakers who promised to bring the issue back up next year, the industry is now working toward a viable alternative.
The most aggressive reporting proposal under way is a draft bill by Rep. Adam Putnam, R-Fla. The bill would require public companies to file cyber-security plans with the SEC. Companies are particularly leery of SEC involvement, however, fearing that the agency lacks cyber-security expertise and that reporting could be costly.
"You can put a lot of liabilities on companies when theyre asked to report about their operations, and those liabilities arent necessarily productive in reducing vulnerabilities," said Greg Garcia, vice president of information policy at the Information Technology Association of America, in Arlington, Va.
If reporting requirements are inevitable, however, the Federal Trade Commission may be more palatable to the industry because it has already addressed cyber-security problems such as identity theft and spam, sources said.
From the perspective of security vendors, federal action is necessary because absent a legal incentive, the difficulty of estimating costs, benefits and penalties inhibits a companys implementation of security policies, said Daniel Burton, vice president of Government Affairs at Entrust Inc., of Addison, Texas.