Security Experts:

SEC May Require Companies to Disclose Data Breach Incidents

SEC Looking to Protect Investors and Boost Breach Disclosure

On Thursday, the U.S. Securities and Exchange Commission’s Corporation Finance division released guidance to publically traded companies on cybersecurity incident disclosure. The goal is to inform investors of risk, and release more information when filing with the SEC.

SEC Requiring Breach DisclosureAs things stand, the SEC stated, there are no requirements that mention cybersecurity. Yet, publically traded companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”

“We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a “roadmap” for those who seek to infiltrate a registrant’s network security -- and we emphasize that disclosures of that nature are not required under the federal securities laws,” the SEC states.

When determining a risk profile, public companies are told to “take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents... including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.”

Moreover, public companies “must provide certain disclosures of losses that are at least reasonably possible” both during and after a breach, in corporate filings. But, even so, they have a window of silence.

In the same section the SEC says if the security incident is discovered after the balance sheet date, but before the issuance of financial statements, “...registrants should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary.”

“If the incident constitutes a material nonrecognized subsequent event, the financial statements should disclose the nature of the incident and an estimate of its financial effect, or a statement that such an estimate cannot be made.”

Speaking to the media, Senator John Rockefeller said the SEC’s move changes everything. In the past, he has voiced concerns that publically traded companies were not disclosing security breaches adequately. “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it.”

However, some debate is needed. Will this really change anything when it comes to the state of security within a publically traded company? Most likely not. But, please share your thoughts in the comment section below— we’re interested in hearing from you.

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.