SEC requires businesses to disclose cyberattacks

Published 18 October 2011

Last week, the U.S. Securities and Exchange Commission (SEC) unveiled new guidelines that will make it mandatory for companies to report cyberattacks against their networks as well as the costs associated with them to their investors

Last week, the U.S. Securities and Exchange Commission (SEC) unveiled new guidelines that will make it mandatory for companies to report cyberattacks against their networks as well as the costs associated with them to their investors.

The move is designed to provide investors with a better sense of how large cyberattacks are affecting a company’s operations. The SEC was careful to avoid exposing a company to further attacks by asking them not to disclose any sensitive details about security breaches.

We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts — for example, by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security — and we emphasize that disclosures of that nature are not required under the federal securities laws,” the SEC explained in its guidance document, released last Thursday.

Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence,” it said.

According to the guidelines, companies must disclose cyber security risk factors associated with their businesses and how they plan on addressing those risks.

The SEC currently lacks an explicit disclosure requirement for cyber attacks, but its other requirements which call for a description of business, legal proceedings, and financial statements can force a company to disclose cyber incidents.

For instance, cyber attacks can lead to the theft of proprietary information, trade secrets, or damage a firm’s networks in resulting in a decrease in a company’s products. Furthermore, financial statements can be significantly affected by a costly cyberattack as a company must hire security experts and lawyers, deploy new technology, train employees, and deal with the legal costs and liability.