As the federal government considers laws mandating businesses report data breaches, the Securities and Exchange Commission recently published guidance on what public companies must disclose about their cybersecurity.
Urged by the Senate commerce committee, the SEC’s Division of Corporation Finance released the guidelines explaining businesses’ requirements to make public information about data security incidents and risks.
This isn’t a new rule from the SEC. Instead, the statement emphasizes that cyberattacks fall under the long-standing requirement that businesses report “material” developments that are significant enough that shareholders would reasonably want to know about them.
Information about some security attacks and the significant risk of future incidents should be included in companies’ standard disclosure material. For example, companies should report attacks if they:
- Have a material effect on the organization’s financial condition (if profits are lost, for example)
- Could result in reported financial information no longer being accurate, or
- Require the company to materially increase its security expenditures.
The guidance also says companies must disclose any unusual security risks investors would want to know about. However, many IT experts are unaware of how that will be enforced, since every company is subject to cybersecurity risk.
If information about attacks isn’t disclosed, companies could face SEC enforcement actions, lawsuits from shareholders or letters from regulators demanding they improve their disclosures, the Washington Post reports.