SEC Says Public Companies Must Disclose Cyberattacks
The Securities and Exchange Commission on Thursday issued new guidelines that said publicly-traded companies must disclose when they suffer cyberattacks and describe intellectual property stolen by hackers.
Previously, publicly-traded companies were not required to report computer intrusions or whether they had fixed the problem in their SEC filings. But starting next year, they must acknowledge those cyberattacks to regulators and explain measures they plan to take to close their cybersecurity gaps, according to the SEC guidance.
"This is a huge paradigm shift,'" said Tom Kellermann, chief technology officer of mobile security company AirPatrol Corp.
In May, a group of Democratic lawmakers, including Senate Commerce Committee Chairman Jay Rockefeller, sent a letter to the SEC asking regulators to clarify whether companies must disclose cyberattacks or data breaches or the risk of them occurring. The committee's review of SEC filings found that companies did not reveal measures they took to improve cybersecurity and were vague about their cyber vulnerabilities.
"In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk," the letter said.
The SEC guidance issued Thursday expands the list of things subject to disclosure to include computer intrusions or theft of data that could affect investor decisions. For example, if malware infiltrates a company's computer network, the company "may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences," the SEC guidance said. It also says companies should disclose the risk of cyber incident if they are "among the most significant factors that make an investment in the company speculative or risky."
"A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context," the guidance said.
Before Thursday's release, only certain segments of the economy were required to report cyberattacks. Banks are required to report intrusions to the Department of Treasury and the health care sector is required to report data breaches to the Department of Health and Human Services. Some states have mandatory reporting requirements for companies, but only regarding theft of customer information and not about the theft of intellectual property or cyberattacks in general.
Google has been one of the rare public companies to reveal they have been hacked, claiming in June that Chinese hackers tried to steal hundreds of Gmail passwords belonging to journalists, Chinese activists and senior U.S. government officials.
But most public companies choose to keep quiet about computer intrusions to protect their reputations. In a survey of more than 1,000 global companies, only three in 10 said they reported all data breaches, according to a report released earlier this year by Science Applications International Corporation and the security firm McAfee. The rest of the companies said they only reported some incidents or only what they were legally required to.
"Today a public company can lose a top-secret recipe, a go-to-market plan or other key secret and they are reluctant to report it given the potential backlash from customers, shareholders, and the market," the report said.
While calling for more disclosure, the SEC guidance said regulators were "mindful" of concerns that revealing too much would provide a "roadmap" for hackers to infiltrate a company's cybersecurity.
Kellermann said publicly-traded companies will not be pleased about the SEC guidance.
"They're going to freak out," he said. "They would rather live in a land where they can hide behind the veil of plausible deniability."
Now, the value of a company's stock can be directly impacted by the new reporting requirements, and if the company sweeps cyberattacks under the rug, it will face penalties from the SEC, he said.
The SEC is "saying go to the doctor and get tested," Kellermann said. "And don’t just tell me everything is cool."