iPhone app iPad app Android phone app Android tablet app More

Gerry Smith
Gerald.Smith@huffingtonpost.com Become a fan of this reporter
GET UPDATES FROM Gerry
 

SEC Says Public Companies Must Disclose Cyberattacks

Sec Cyber Disclosure

First Posted: 10/13/11 10:21 PM ET Updated: 12/13/11 05:12 AM ET

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy

The Securities and Exchange Commission on Thursday issued new guidelines that said publicly-traded companies must disclose when they suffer cyberattacks and describe intellectual property stolen by hackers.

Previously, publicly-traded companies were not required to report computer intrusions or whether they had fixed the problem in their SEC filings. But starting next year, they must acknowledge those cyberattacks to regulators and explain measures they plan to take to close their cybersecurity gaps, according to the SEC guidance.

"This is a huge paradigm shift,'" said Tom Kellermann, chief technology officer of mobile security company AirPatrol Corp.

In May, a group of Democratic lawmakers, including Senate Commerce Committee Chairman Jay Rockefeller, sent a letter to the SEC asking regulators to clarify whether companies must disclose cyberattacks or data breaches or the risk of them occurring. The committee's review of SEC filings found that companies did not reveal measures they took to improve cybersecurity and were vague about their cyber vulnerabilities.

"In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk," the letter said.

The SEC guidance issued Thursday expands the list of things subject to disclosure to include computer intrusions or theft of data that could affect investor decisions. For example, if malware infiltrates a company's computer network, the company "may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences," the SEC guidance said. It also says companies should disclose the risk of cyber incident if they are "among the most significant factors that make an investment in the company speculative or risky."

"A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context," the guidance said.

Before Thursday's release, only certain segments of the economy were required to report cyberattacks. Banks are required to report intrusions to the Department of Treasury and the health care sector is required to report data breaches to the Department of Health and Human Services. Some states have mandatory reporting requirements for companies, but only regarding theft of customer information and not about the theft of intellectual property or cyberattacks in general.

Google has been one of the rare public companies to reveal they have been hacked, claiming in June that Chinese hackers tried to steal hundreds of Gmail passwords belonging to journalists, Chinese activists and senior U.S. government officials.

But most public companies choose to keep quiet about computer intrusions to protect their reputations. In a survey of more than 1,000 global companies, only three in 10 said they reported all data breaches, according to a report released earlier this year by Science Applications International Corporation and the security firm McAfee. The rest of the companies said they only reported some incidents or only what they were legally required to.

"Today a public company can lose a top-secret recipe, a go-to-market plan or other key secret and they are reluctant to report it given the potential backlash from customers, shareholders, and the market," the report said.

While calling for more disclosure, the SEC guidance said regulators were "mindful" of concerns that revealing too much would provide a "roadmap" for hackers to infiltrate a company's cybersecurity.

Kellermann said publicly-traded companies will not be pleased about the SEC guidance.

"They're going to freak out," he said. "They would rather live in a land where they can hide behind the veil of plausible deniability."

Now, the value of a company's stock can be directly impacted by the new reporting requirements, and if the company sweeps cyberattacks under the rug, it will face penalties from the SEC, he said.

The SEC is "saying go to the doctor and get tested," Kellermann said. "And don’t just tell me everything is cool."

FOLLOW HUFFPOST TECH

The Securities and Exchange Commission on Thursday issued new guidelines that said publicly-traded companies must disclose when they suffer cyberattacks and describe intellectual property stolen by ha...
The Securities and Exchange Commission on Thursday issued new guidelines that said publicly-traded companies must disclose when they suffer cyberattacks and describe intellectual property stolen by ha...
Related News On Huffington Post:
 

 
 
  • Comments
  • 22
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
photo
IDT911
61 Fans
 
10:26 AM on 10/17/2011
Kudos to the SEC for taking a stance on this very real problem to our national security and economy driven by innovations.

Publicly traded companies' secrets are increasingly threatened by hackers. And taken to international markets where intellectual property is one of the hottest commodities is the digital oil gold. By requiring businesses to disclose their vulnerabilities, the SEC is doing them, their investors, and the public a service.

SEC is addressing public-companies only, and so many privately own companies face similar issues, perhaps even larger. By specifying sectors, black hat hackers know their targets are valuable, and important to US world strategic position.

American businesses aren't immune to attacks, perhaps they attract hackers due to a false believe of security and incident detection. But by instituting proper risk management and cyber security procedures, business can reduce the risk and, by extension, protect their valuable intellectual property and their customers' sensitive information. Good data security, transparency in business operations is essential to success in the new age of global economies with divided world superpowers.

Ondrej Krehel
Information Security Officer
Data Risk Management and Forensic Services
IDentity Theft | 911
Permalink  |
This user has chosen to opt out of the Badges program
photo
authorized-user
macho macho man
629 Fans
09:18 AM on 10/16/2011
"Today a public company can lose a top-secret recipe, a go-to-market plan or other key secret and they are reluctant to report it given the potential backlash from customers, shareholders, and the market
THERE ARE LOTS OF WAYS TO GET INFORMATION, USED PC'S,OLD COPIERS, 1 2 3 PASSWORDS, WIRE TAPS, MICRO CAMERAS, AND UNSECURED WIRELESS NETWORKS ARE TREASURE TROVES FOR PEOPLE SEEKING PRIVATE INFORMATION. MOST OF IT ENDS UP SOLD OVERSEAS.
HACKING IS JUST ONE ASPECT OF OUR LEAKY SECURITY.
ONE MAN'S TRASH IS ANOTHER'S TREASURE.
Permalink  |
photo
HUFFPOST SUPER USER
PeterNPaul
Giants only fear slingshots.
682 Fans
11:25 AM on 10/15/2011
I scoff at such rules. So should everyone else.
Permalink  |
photo
HUFFPOST SUPER USER
bkerensa
BenjaminKerensa.com
599 Fans
 
07:46 PM on 10/14/2011
The question is will the SEC enforce these new rules or let companies slide like they do on every other rule.
Permalink  |
HUFFPOST SUPER USER
teachone
Knowledge is Power
275 Fans
05:18 PM on 10/14/2011
The SEC needs to get busy regulating and arresting those in the crooked financial industry, instead of wasting their time on this, they can find more things to sidetrack themselves with to keep from holding the crooks in the banking and investment industry accountable, is it any wonder things got this bad, quit turning your heads and get busy addressing the REAL PROBLEMS AND THE REAL ILLEGAL ACTS GOING ON!!!!!!
Permalink  |
photo
garyms4
73 Fans
04:47 PM on 10/14/2011
South Eastern Conference? YEA....LOL
Permalink  |
photo
sstuczynsk
186 Fans
03:02 PM on 10/14/2011
I thought congress made laws not SEC. Lets put some brakes on these government agencies.
Permalink  |
jweller13
51 Fans
03:47 PM on 10/14/2011
Why do you think cyber attacks on publicly traded companies are not worthy of scrutiny? They can do serious financial damage. They can blackmail companies, covertly transfer money, steal trade secrets, etc. All of which can adversely affect the performance of a company in which you might have investments. I think this is very important information of which our free enterprise system needs to be away. It's quite reasonable to me.
Permalink  |
photo
garyms4
73 Fans
04:43 PM on 10/14/2011
Where have you been the last 3 yrs.? Obama said change and you got it!
Permalink  |
photo
Razorsharp1234
81 Fans
02:45 PM on 10/14/2011
Not so fast, private sectors should be held to the same standard, rules and regulations. What's good fo rthe goose it's gopd for the gander.
And while I am right at it, my solution is to get rid of the SEC who works for the rich and for the banks but certainly not for the average american. Good bye.
Permalink  |
photo
MiddletownHal
155 Fans
02:07 PM on 10/14/2011
This is another socialist attack on corporations which is why we in the Tea Party wish to abolish the SEC along with the FCC, ATF, IRS, Dept. of Education, CDC, DOE, EPA, HUD, OSHA, and other initials I can't remember also & too! Corporations should not have to disclose cyber attacks just like they don't have to report what their CEO's really get paid or why it is critical the Board of Directors be flown in private jets to tropical islands for meetings, golf or prayer sessions. Quit picking on the pillars of Capitalism as if we give a damn about your petty grievances. You're talking pennies. We're generating billions!
Permalink  |
frankieshoes1
lookitupyerdamnedself
772 Fans
03:30 PM on 10/14/2011
could you please explain how you propose to eliminate the IRS since every penny they collect goes to the private institution we know as the Federal Reserve for interest they charge on the money that the Treasury dept. prints???
Permalink  |
This user has chosen to opt out of the Badges program
photo
Ginzu Mawa
201 Fans
01:31 PM on 10/14/2011
The SEC should be more concerned with rise in accounting deviance from Benford's law. It shows statistically that corporate book cooking has skyrocketed over the past 20-30 years. The criminals are WITHIN the companies.

http://www.economist.com/blogs/freeexchange/2011/10/accounting
Permalink  |
cybexg
609 Fans
12:36 PM on 10/14/2011
In theory, requiring disclosure would IMPROVE the market (due to the addition of relevant, timely information). Why are the republican's opposing a move that should result in a more functional market?
Permalink  |
HUFFPOST SUPER USER
neuromantic
221 Fans
01:08 PM on 10/14/2011
Republicans want a free market, not a perfect market. Those terms may have been synonymous in the past, but now a free market means free of rules, free to pollute, free to cause harm, and the only way to get a remedy for wrong doing is to sue (but a related movement is aimed at protecting companies from "frivolous" lawsuits that could harm business...) A perfect market (macro econ 101), where supply and demand and knowledgeable buyers converge on optimal market prices and distribution of goods and services CANNOT exist without some rules. If any conservatives believe the current system would become closer to perfect by deregulation, they really need to re-evaluate their assumptions.
Permalink  |
This user has chosen to opt out of the Badges program
photo
Ginzu Mawa
201 Fans
01:33 PM on 10/14/2011
its best to crack down on white collar crime. clean house and then re-evaluate the priorities of the business community. right now its impossible to see whats gangsterism and whats real.
Permalink  |
HUFFPOST SUPER USER
neuromantic
221 Fans
10:45 AM on 10/14/2011
As much as companies won't like the "black eye," from having to admit they've been hit, this is a real national security issue and makes a lot of sense. Given the existence of some really insidious latent threats (botnets, for example) that can "live" undetected for years, we need good data on when, where, and how these attacks are occurring. Hurray for wise regulation that promotes the best interests of society!
Permalink  |
HUFFPOST SUPER USER
neuromantic
221 Fans
11:02 AM on 10/14/2011
Although, it does open the door for targeted attacks with the goal of stock price manipulation: Attack a company and short sell its stock; attack your competitors; stage a fake attack that you successfully block to raise your company's stock price... Wow, a whole new industry for entrepreneurs. Oh yeah, that already exists: http://www.zdnet.com/news/golden-cash-network-rent-a-botnet/312957
Permalink  |
This user has chosen to opt out of the Badges program
photo
Eris23
Justice is in indefinite detention.
469 Fans
12:14 PM on 10/14/2011
Yes it does. Interesting times.
Permalink  |
HUFFPOST SUPER USER
Rich Cash
Enlisted in 1971 - Retired in 1996
862 Fans
06:34 AM on 10/14/2011
That's to prevent the attackers from being hired by the victims as security consultants....
Permalink  |
photo
HUFFPOST SUPER USER
J T K
Quis custodiet ipsos custodes?
225 Fans
 
02:13 PM on 10/14/2011
Which is stupid because former black hat hackers make some of the best security consultants. I hate no showy he is about it but look at Mitnick, he's made a good living out of consulting, as well as writing and speaking of course. Even the CIA supposedly hires former cracker from time to time. The almost cliche rumor being that if you succeed in hacking the CIA or NSA you disappear one way or another.
Permalink  |
photo
HUFFPOST SUPER USER
munki
Global to Local now Local to Global
276 Fans
 
01:07 AM on 10/14/2011
Who really have authority overour privacy as many were deported to India when I call for assistance, etc. Are US responsible? I asked in many occasions sine 2007
Permalink  |