US securities regulators have formally asked public companies for the first time to disclose cyber attacks against them, reports Reuters.
The US Securities and Exchange Commission issued guidelines on October 13 that sets out the kinds of information companies should disclose relating to cyber security risks and cyber incidents:
[…] Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.
In its guidance document, the SEC says that reporting on cyber security risks and cyber incidents should be included in Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A).
The SEC also makes clear that the guidance is just that, not a rule, regulation, or statement, although I can’t imagine many publicly-listed companies covered by SEC oversight not making any disclosure if warranted.
The SEC’s guidance is comprehensive in scope, enabling any company to clearly see what they need to do.
- More in the Reuters report: SEC tells companies to disclose cyber attacks
The subject of cyber security is high on the political agenda, too. Next month, the London Conference on Cyberspace takes place with a stated aim of offering “a focused and inclusive dialogue to help guide the behaviour of all in cyberspace.” Speakers include senior representatives from governments, business and civil society.
Follow the conference on Twitter: @LondonCyber.