By Dave Michaels 

Investors in public companies are ill-served by how firms disclose cybersecurity risks, cuing the need for the government to intervene, a senior federal regulator said this week.

The Securities and Exchange Commission should consider imposing new rules mandating that firms offer more detailed disclosures of how they plan to fend off hackers, Commissioner Kara Stein, a Democrat, said late Tuesday. The SEC has historically considered cybersecurity to be like any other risk, meaning businesses only have to disclose material breaches or threats that could affect the appetite for their stock.

Speaking to a group at Stanford University, Ms. Stein said that approach has served investors poorly. "Unfortunately, corporate disclosures are far from robust and largely consist of boilerplate language that fails to provide meaningful information for investors," she said.

Corporations have been on high alert about hackers, particularly since Equifax Inc. last year disclosed that cyberthieves stole personal information belonging to 145.5 million consumers, including names, Social Security numbers, dates of birth and addresses. The hackers roamed undetected in Equifax's computer network for more than four months before its security team uncovered the massive data breach.

New regulations may be needed to provide shareholders with a fuller picture of a company's defenses, Ms. Stein said. "The commission should consider rules to require disclosure of a firm's enterprise-wide consideration of cyberrisks," she said.

The SEC itself was hacked in 2016, when intruders breached part of its system for disseminating market-moving news about public companies. The agency's enforcement division is probing whether the hackers traded illegally on the information they stole.

Ms. Stein said the regulator "clearly" failed to seize on the gravity of the breach when it was discovered in 2016. SEC Chairman Jay Clayton, who took over in 2017, has "focused the commission and the staff on improving our risk management framework," she said.

Mr. Clayton hasn't agreed that stricter rules are needed on disclosing cybersecurity risks. His staff has said they are working on guidelines that may give companies more factors to consider, such as the level of cyberintrusion that demands public disclosure. The SEC chairman has also urged companies to improve how they communicate the risk of breaches to shareholders.

"Companies should be providing sooner disclosure about intrusions that may affect shareholder investment decisions," Mr. Clayton told the Senate Banking Committee in September.

Ms. Stein said many investors have pressed for better disclosure of cyberthreats through resolutions that get a shareholder vote at a firm's annual meeting. But many businesses haven't taken the hint, which she called a troublesome sign of waning engagement with shareholders.

Write to Dave Michaels at dave.michaels@wsj.com