SEC Outlines New Guidelines Requiring Companies to Report Cyber Attack

The Securities and Exchange Commission (SEC) has issued new guidelines requiring publicly traded companies to report when they suffer significant cyber thefts or attacks, even when they are only “at risk” for such events. This way, investors are knowledgeable about such risks when they invest their money and have the option of not investing in companies that they feel are at greater risk for cyber attacks.

Companies that don’t comply could face SEC enforcement actions or even be sued by shareholders. Letters calling for improvement in their disclosure practices could also be sent by regulators, according to a report by www.washingtonpost.com. Most companies won’t disclose such incidents because they fear a loss of reputation in the business community. The SEC says this is why such a guidance is necessary — to show that disclosure of such material breaches is mandatory.

However, business owners say that by requiring companies to disclose when such attacks happen and the losses associated with such events it forces businesses to invest in increased security or put out money to fight lawsuits resulting from such losses. Either way, the company loses revenue.

One problem area in all this is that companies, sometimes, have no idea how to assess the damage done by a cyber attack. If companies are not allowed a little leeway as they adapt to this new guideline, the result could be chaos and confusion. Most companies are ill-equipped to determine the value or the extent of the data lost.

As an example, one of the only companies to ever report a compromise to the SEC was Intel in January 2010. This was shortly after Google had disclosed its own hacking incident suffered from attackers in China with valuable source code being stolen. Google being one of over 80 companies hit by that same malware.

An Intel spokesman stated that nothing of value was taken as far as they could tell, but that the company could not say that with absolute certainty.

According to the SEC, the organization doesn’t want companies to disclose confidential or proprietary information, but they do want to know when companies come under attack, what was lost, and if companies are vulnerable to attack at the moment.

For more information about the new SEC requirements, visit: http://www.washingtonpost.com/world/national-security/cybersecurity-sec-outlines-requirement-that-companies-report-data-breaches/2011/10/14/gIQArGjskL_story.html