SEC to require businesses to disclose cyber attacks

Public companies will now be required to disclose attacks that could affect investors

The media has seen no short supply of cyber attacks to cover this year.  Many are the obnoxious hacktivists clambering for their place in the sun…by hacking Sony and PBS.  Should public (or soon-to-be public) companies be required to disclose cyber attacks?  The SEC thinks so.

The Securities and Exchange Commission announced late Thursday that public companies will now be required to reveal cyber attacks—a move that was pushed by Senator John (Jay) Rockefeller of West Virginia.

Rockefeller explained that the new guidance “will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it.”

Of course, there are some caveats.  Google won’t be required to disclose that some punk 15-year-old hacked into Google+ to change his sister’s screen name to Cat Butt Face.  But it will be required to report any attack that meets the following standards:

1)    It poses a significant risk factor for investing in the company.  This means that the frequency and severity of an attack will be taken into account when deciding whether a company should disclose it, along with the potential for misappropriated assets, data corruption, or stolen confidential information.

2)    The attack is likely to impact a company’s operations, liquidity, or financial condition—or would prevent reported financial information from indicating the company’s future operating results or financial condition.  For example, if intellectual property is stolen, it’s more than likely to have a negative material impact on the company, and the company would be required to describe the property stolen and the potential effects of the theft.

3)    The attack negatively affects a company’s products, services, or relationships with customers and suppliers.  The victimized company would be required to report this information in its “Description of Business.”

4)    The attack results in legal proceedings.

5)    It has a “broad impact” on a company’s financial statements.

The SEC noted that companies will not be required to explain how they plan to prevent future attacks, as that would only end up providing a roadmap for future hackers.

Google made waves last year when it daringly stepped up to the plate to reveal that it had been the object of a massive, highly sophisticated, and targeted cyber attack that originated in China.  The attack, Google said, appeared to be aimed at accessing the Gmail accounts of a number of Chinese human rights activists.

Just this past June, Google reported yet another attack from China aimed at obtaining the Gmail passwords of everyone from U.S. government officials, journalists, Chinese political activists, and more. 

What makes Google’s actions so unique is the fact that many companies don’t come forward and disclose cyber attacks for fear that it might scare off shareholders.  At the time that Google reported the first attack, the company added that several other major companies had also been hacked—it wasn’t the only one.

Indeed, cyber attacks are much more common than most people think.  A recent report from McAfee revealed one of the largest, longest running cyber attacks in history, affecting 72 organizations and companies across virtually every industry around the world.

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact,” wrote Dmitri Alperovitch, McAfee’s VP of Threat Research, in the report.  “In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”

Image source: bizandlegis.com