U.S. Senator Jay Rockefeller announced today that he has sent letters to the chief executive officers of all Fortune 500 companies requesting information by October 19, 2012 on how each company is addressing cybersecurity. The broad requests for each company's views on cybersecurity--including how each company developed its own practices and the role of the federal government in developing cybersecurity practices--follow recent unsuccessful efforts by Senator Rockefeller and other lawmakers to pass legislation imposing heighted cybersecurity standards at the national level. The most recent effort, introduced by Senator Joe Lieberman and co-sponsored by Senator Rockefeller, was voted down in the U.S. Senate last month despite White House support.
This is not the first effort by lawmakers to focus on cybersecurity outside of the legislative process. In May of last year, Senator Rockefeller and four other Senators petitioned the SEC to issue guidance to public companies concerning their obligation to provide disclosure about cybersecurity. The SEC's Division of Corporation Finance responded last October by releasing guidance to public companies to assist them in assessing what disclosures should be made when faced with cybersecurity risks and incidents. (Gibson Dunn's alert discussing that guidance is available here.) Senator Rockefeller has also petitioned the White House to issue an executive order that would accomplish similar goals as the Lieberman/Rockefeller bill--such as establishing a voluntary program to designate cybersecurity standards for companies in control of critical infrastructure. Critics argue that such efforts circumvent the legislative process, would create new liability risks for covered businesses, and potentially impose an impractical "one-size-fits-all" approach to cybersecurity across very different settings and businesses.
Although responses to Senator Rockefeller's letters to the Fortune 500 CEOs are voluntary, many businesses will likely offer some response (although that need not come from the CEO). The letters include eight questions designed to discover how companies are addressing cybersecurity and the views of the CEOs on the system the Lieberman/Rockefeller cybersecurity bill would have established if voted into law, including concerns the CEO might have with the voluntary program contemplated in the bill. Recipients of the requests should, of course, recognize that their responses (or failure to respond) may be used in the political battle over cybersecurity regulation and could potentially trigger further contact or Congressional inquiry. A copy of Senator Rockefeller's letter is available here.