In an op-ed for Harvard Business Review, Shivaram Rajgopal and Bugra Gezer write cyber risk disclosures in their current form are inadequate. The authors looked at the disclosures through the lens of the recent Marriott data breach. Gezer and Rajgopal argue guidance from the U.S. Securities and Exchange Commission is “vague at best” and allowed Marriott to wait three months to disclose the breach. “The only way to make companies take cyber risk seriously is to impose tough disclosure requirements and actively enforce those rules,” the authors write. “In our view, unless the penalty is significant, senior officers of most companies will simply ignore cyber risk.”
If you want to comment on this post, you need to login.