Sony and Nintendo share prices take a hit after being successfully hacked.
The SEC has also set the expectation that shareholders will be notified when a cyber attack poses a specific and material risk.
In her response Schapiro argued existing disclosure requirements under federal securities law require firms to disclose risks and events that a reasonable investor would consider important to an investment decision. She noted there is some flexibility in how the rules are administered.
"Whether a company is required to provide risk factor disclosure regarding potential cyber attacks, including the potential financial or reputational impacts of the attacks, will depend on the facts and circumstances of the company, and the determination of various factors, including the probability of the risk occurring and the magnitude of the risks," Schapiro wrote.