Despite recent guidance from the federal government explaining when publicly traded companies must disclose details about information security incidents, many companies are failing to do so, according to a new report.
Last October, the Securities and Exchange Commission (SEC) issued a guidance for publicly traded companies detailing how and when they need to report data breaches.
However, the majority of businesses still aren’t reporting those incidents, according to a recent investigation by Reuters.
The news organization looked at more than 2,000 filings since the SEC’s guidelines were issued. Though some companies had included new information about cybersecurity risks and incidents, many firms that are known to have suffered breaches did not report them.
For example, defense contractor Lockheed Martin suffered an attack last May, but did not include any information about the breach — or about cybersecurity risk in general — in its most recent 10-Q quarterly filing, Reuters reports.
The SEC’s guidelines, which clarified existing rules rather than created new ones, says information about some security attacks and the significant risk of future incidents should be included in companies’ standard disclosure material. Companies should report attacks if they:
- Have a material effect on the organization’s financial condition (if profits are lost, for example)
- Could result in reported financial information no longer being accurate, or
- Require the company to materially increase its security expenditures.