THE US SECURITIES AND EXCHANGE COMMISSION (SEC) is requiring companies to report cyber attacks against their computer infrastructures and the cost associated with them in order to put cyber security risks into context for investors.
The Commission doesn't want to ask companies to expose themselves to more attacks by disclosing sensitive details about past security breaches, but since such incidents can have a large impact on operations and finances, investors have a right to know the risks.
"We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a 'roadmap' for those who seek to infiltrate a registrant's network security -- and we emphasize that disclosures of that nature are not required under the federal securities laws," it writes in a guidance document published yesterday.
"Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence," it adds.
Even though there is no disclosure requirement that explicitly refers to cyber security, other requirements, such as description of business, legal proceedings, or financial statements, might force a company to disclose cyber incidents.
For example, a cyber attack could result in the theft of proprietary information and trade secrets, which in turn could lead to a decrease in a company's product's values. Similarly, a security breach that exposes customer information could easily result in loss of customers or an inability to attract new ones.
Financial statements can be significantly impacted by remediation costs associated with hiring security experts and legal consultants, deploying new technology, training employees, as well as costs associated with legal liability and litigation.
Heartland Payment Systems, a US-based payment processor allegedly compromised by the infamous hacker Albert Gonzales, reported losses of $12.6 million related to legal fees, fines paid to Visa and Mastercard, the replacement of millions of compromised credit cards and other costs.
According to the new SEC guidelines, companies must also disclose cyber security risk factors associated with their businesses. This can mean aspects of their operations that increase the possibility of cyber attacks and the potential consequences of such incidents. They must also disclose how they address those risks and describe their relevant insurance coverage. µ