We at the Commission have not yet adequately pressed forward. While the Commission’s staff has released disclosure guidance for public companies to consider when dealing with cyberrisks and breaches, the Commission can and should do more. I believe the Commission should consider rules to require disclosure of a firm’s enterprise-wide consideration of cyberrisks. I also believe that we should develop rules to ensure that market intermediaries, including broker-dealers and investment advisers, develop and implement policies and procedures to protect investors’ personal information.The security and integrity of a corporation’s assets, like the SEC’s, is a great responsibility. As I said earlier, cybersecurity has been viewed by many as simply an “IT” problem, hoisted on the shoulders of a company’s chief information officer. Too often, this has led to a failure to integrate cybersecurity into a firm’s enterprise risk management framework. To be sure, some companies are focused on cyberthreats and recognize their potential economic threat. But companies need to do more than simply recognize the problem. They need to heed the calls of their shareholders and treat cyberthreats as a business risk. Corporations and shareholders will both benefit from greater transparency and focus on the risks related to unintended data loss and the collateral consequences.