Amid the fallout from summer battles against the Sobig and Blaster worms, one influential member of Congress is considering whether to force companies to publicize their readiness to combat future cyberattacks.
Rep. Adam Putnam (R-Fla.), head of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, wants companies to fill out a cybersecurity checklist in their filings with the SEC. Though the feeling on Capitol Hill is that companies aren’t doing enough to secure their piece of the Internet, Putnam is the first legislator to endorse a reporting requirement.
After a subcommittee hearing last month, Putnam said his approach would force executives of publicly traded companies to pay attention to cybersecurity. “It is the least blunt instrument and the least regulatory approach,” Putnam said.
Because he hadn’t introduced any legislation as of mid-September, it’s unlikely such a bill would pass this year, but some cybersecurity experts predict any more Internet attacks would put pressure on Congress to take action sooner.
Bob Dix, the subcommittee’s staff director, says a cybersecurity reporting requirement styled after the financial reporting rules in the Sarbanes-Oxley Act would raise awareness among top-level executives. Disclosures could take the form of a checklist, asking such questions as, Do you have an up-to-date IT assets list? Companies that have several unchecked items may cause concern among stockholders, board members or customers, and be forced by the marketplace to deal with cybersecurity, say the concept’s supporters.