SEC updates disclosure rules to include breaches

Share this article:

U.S. securities regulators on Thursday issued new guidance that aims to clarify public companies' obligations for disclosing cybersecurity risks to investors.

The document, issued by the Corporate Finance Division of the Securities and Exchange Commission (SEC), states that companies must disclose known or potential cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky.” If so, organizations may have to disclose both the known and potential costs of such breaches, as well as any other consequences.

The update does not technically create any new SEC requirements, or modify existing ones, an agency spokeswoman told on Friday. Instead, it is meant to provide companies with advice on how to consider cybersecurity issues within the framework of their existing disclosure obligations.

Existing SEC regulations mandate that publicly traded companies reveal “material” risks and events, or those an ordinary investor would consider important when choosing whether to buy or sell the company's stock. Current disclosure requirements do not, however, explicitly refer to cybersecurity risks and incidents. 

Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., said on Thursday that the guidance “fundamentally changes” how companies will ultimately handle cyber incidents. Last May, Rockefeller, with several other federal lawmakers, asked the SEC to clarify such reporting requirements.

“For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them,” Rockefeller said in a statement. “Intellectual property worth billions of dollars has been stolen by cybercriminals, and investors have been kept completely in the dark. This guidance changes everything.”

Organizations now will be better positioned to protect their networks from breaches, he said.

The guidelines state that detailed disclosures are not encouraged, however, as they could hinder cybersecurity efforts, giving attackers a “roadmap” of how to infiltrate a target environment.

Even so, Tom Kellermann, chief technology officer of mobile security firm AirPatrol, and a member of President Obama's Commission on Cybersecurity, called the guidance “tremendously significant.”

“It dispels the fog of plausible deniability and challenges corporations to make cybersecurity a functionality of conducting business in a digital world,” Kellermann told in an email Friday. “This guidance ushers wind into the sails of the cybersecurity community.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.