On July 29, the chairman of the Securities and Exchange Commission sent out 9,000 letters to corporate executives directing them to comply with elaborate year 2000 disclosure requirements.

This is an epochal event for corporate information management. Year 2000 oversight by the SEC is only the opener for further regulatory interference. Relying on the year 2000 precedent, government regulators will surely extend their reach into security and safety, standards for electronic commerce and certification of software reliability. In the future, many of the key decisions about IT will be subject to the same scrutiny as originators of pollution, purveyors of tobacco or makers of breast implants. Decisions that should have been made by CIOs and corporate executives now will be shaped by lawyers, government officials, lobbyists and legislators.

The SEC's disclosure requirements are more thorough than what CIOs normally would report to their executive committees. Following are some of what the SEC expects to receive:

• An estimate of the material effect of year 2000 failures on a company's business, without taking into account the company's efforts to avoid those consequences, such as fixing its software and correcting its databases. The company must assume it could not be year-2000 compliant in time, regardless of the money spent or planned to be spent. Costs of failure include operating losses expected to result if a company, its suppliers or customers fail to correct year 2000 deficiencies.

• A detailed analysis of the readiness of all embedded systems.

• An itemized schedule showing how far a firm has progressed toward year 2000 compliance.

• Progress, as defined by the percentage of the year 2000 budget spent to date for the assessment, remediation, testing and compliance phases of millennium projects.

• Analysis of a company's year 2000 issues relating to third parties with which they have a material relationship.

• The cost of becoming year 2000-compliant, including money spent to date and estimated costs to complete the work. At the end of each quarter, companies must disclose how much of the total estimated year 2000 project costs have already been incurred.

• Identification of the source of year 2000 funding, including the percentage of the IT budget used.

• Methods used to secure independent verification and validation of risk and cost estimates submitted to the SEC.

• A description of the contingency plan for handling the most likely worst-case scenarios, by answering the question, "What will the company do if it is not ready?"

But because corporate management, IT purveyors and insurance firms failed to address the potential consequences of year 2000 disruptions, we will now be stuck forever with the government telling us what to do and how to manage information systems with a sense of political accountability.

I approve of what the SEC has done, though I dislike it, just as I hated taking spoonfuls of cod liver oil during World War II when it was the only vitamin supplement available.

MANAGEMENT IMPLICATIONS

One should recognize that the SEC didn't act capriciously. It was guided by congressional hearings that reflected politicians' anxiousness to divert any possible blame for failures of the U.S. information infrastructure. Legislation is sure to follow, imposing constraints on information management practices. This situation is analogous to the securities legislation of the 1930s, when failures in the financial markets induced Congress to create the Federal Trade Commission, the SEC and other regulatory agencies.

The SEC Act of 1934 led to financial accounting standards and certification by independent auditors. It elevated the role of the chief financial officer. The entry of government into the systems arena would be positive if it limits itself to emphasizing the increased importance of IT standards and stimulating the creation of independent verification and validation institutions. Its most constructive consequence would be to encourage placing CIOs in positions of fiduciary responsibility for the custody of information assets.

How bad will these SEC requirements be? That depends on how well we adapt to the new circumstances. Corporate management and IT management better get ready to operate under the new rules voluntarily -- before government regulators become enforcement inspectors.