US companies pushed to disclose cyberattacks

New guidelines from US regulators throw a spotlight on disclosure of cyber-incidents

Public companies may need to look more closely at their exposure to cyberattacks after new guidelines were released this week by the U.S. Securities and Exchange Commission.

The guidelines, from the SEC's division of corporation finance, aim to help companies determine when they need to disclose cyberattacks or the amount of risk they pose to a business.

In general, public companies in the U.S. are required to disclose incidents that could have a material impact on their business. While the current regulations don't specifically mention cyberattacks, the new guidelines say they need to be reported in some cases.

Companies should disclose the risk of cyber-incidents "if these issues are among the most significant factors that make an investment in the company speculative or risky," say the guidelines, issued late Thursday

To determine that, companies need to look at factors such as how likely it is they will be targeted by an attack and what the cost of an attack might be, in terms of disruption to operations or loss of sensitive data.

They may also be required to give details about hacking incidents that took place in the past.

"For example, if a registrant experienced a material cyberattack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur." Instead, they would probably be required to reveal specifics of the incident, the SEC said.

The guidelines come in a year that has seen numerous high-profile hacking incidents, including a massive attack on Sony that forced it to take its PlayStation Network offline for more than a month.

The risk of cyberattacks has always been a potential disclosure issue, but the SEC guidance "really highlights the issue and brings it to the fore," according to David Navetta, a founding partner of Information Law Group, which provides legal services related to IT matters.

Even so, he wrote in a company blog post, "materiality is still going to be a big issue, and not every breach will need to be reported as many/most will not likely involve the potential for a material impact to a company."

One interpretation of the guidelines is that "companies internally are going to have to more carefully forecast and estimate the impact of cyber incidents and the consequences of failing to implement adequate security," Navetta wrote.

"This analysis will go well beyond privacy-related security issues where most companies have focused (due to various privacy laws and regulator activity), and implicate key operational issues impacted by security breaches," he said.

James Niccolai covers data centers and general technology news for IDG News Service. Follow James on Twitter at @jniccolai. James's e-mail address is james_niccolai@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags business issuesrisk managementsecuritydata breachSEC FilingsInvestor relationsfinancial resultsbusiness managementFinancial regulation and complianceCompliance monitoringintrusion

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

James Niccolai

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?