In response to increasingly serious cybersecurity threats emerging across all industries, the Securities and Exchange Commission has formally asked publicly-traded companies to disclose hacks and data breaches for the first time.
According to the Globe and Mail, data security advocacy efforts from Senator John Rockefeller may have inspired the SEC's timely response. Rockefeller had been concerned that a lack of clear disclosure guidelines made it more difficult for investors to pursue new ventures with confidence.
“Intellectual property worth billions of dollars has been stolen by cybercriminals, and investors have been kept completely in the dark. This guidance changes everything,” the Senator told the news source. "It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it.”
The growing complexity and gravity of recent Internet security threats have caused much more than bothersome network disruptions and administrative headaches. SEC officials suggested that companies falling victim to cyberattacks could face a variety of unexpected costs associated with litigation settlements, increased IT costs, lost revenue and reputational damages.
According to the Financial Times, Sony recently announced that it may lose more than $170 million as a result of cybercriminals compromising the company's online gaming networks. However, it's worth noting that a number of similar cases have likely been kept under wraps prior to the new legislation.
Critics have suggested that regulators have already been too slow to respond, but the SEC guidelines do provide welcome, actionable advice. The agency explicitly identifies how risks should be assessed and how findings should be reported to investors. In the case of a "material" breach, for example, companies may be required to identify exactly what was stolen and how it could affect future business operations. Regulators also specifically warn against the use of intentionally vague statements when addressing investors or regulators.
Internet security has been on the minds of many public sector agencies of late, as a number of government organizations launch initiatives in response to National Cyber Security Month. The SEC guidelines are a prime example of the cross-sector collaboration being called for by security experts and legislators. The burden of protecting consumer information can no longer rest on any one set of shoulders as cybercriminals devise increasingly complex data security threats.
Data Security News from SimplySecurity.com by Trend Micro