Publicly traded companies should disclose real or potential cyber attacks capable of disrupting business operations or financial stability, the U.S. Securities and Exchange Commission said.
Under guidance issued yesterday by the agency’s division of corporation finance, the SEC said financial statements should address the threat posed by hackers if a network breach is “reasonably likely” to have a material effect on a company, including the theft of intellectual property or increased security costs.
“This guidance fundamentally changes the way companies will address cybersecurity in the 21st century,” Senator Jay Rockefeller, a West Virginia Democrat, said in a news release. Rockefeller and four other senators wrote to SEC Chairman Mary Schapiro on May 11 urging the agency to issue recommendations regarding corporate disclosure of cybersecurity risk.
Data breaches at Sony Corp., Citigroup Inc. and other companies have sharpened U.S. government scrutiny of how businesses safeguard consumer information and respond to cyber attacks. The Obama administration on May 12 sent Congress a proposal that called for shielding banks, power grids and government computers, creating a uniform data-breach notification law and requiring owners of critical systems to develop network-security plans.
“For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them,” Rockefeller, chairman of the Senate Commerce Committee, said. “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark.”
A House Republican task force led by William “Mac” Thornberry of Texas released recommendations for boosting the nation’s cybersecurity that emphasize voluntary industry incentives. Senate Majority Leader Harry Reid, a Nevada Democrat, is compiling comprehensive cybersecurity legislation.
In its guidance, the SEC said it recognizes concerns that “detailed disclosures” may give hackers a road map to infiltrate corporate networks, and said such disclosures are not required under federal securities law. The agency also cautioned companies to avoid generic “boilerplate” disclosures and instead provide “sufficient” information to “allow investors to appreciate the nature of the risks.”
SEC spokesman John Nester declined to comment beyond the agency’s guidance.