Home > IT Blogs > Security Bytes > SEC guidelines push companies to disclose potential breaches
>>VIEW ALL POSTS  

Security Bytes

« Security innovation must hurdle academic, regulatory roadblocks
Symantec announces beefed up DeepSight service, new authentication capabilities »
Oct 17 2011   5:40PM GMT

SEC guidelines push companies to disclose potential breaches



Posted by: admin
Data Breaches and Identity Theft, data security breach

The U.S. Securities and Exchange Commission released guidelines to help companies determine when and what information on security breaches should be disclosed to potential investors.

By Hillary O’Rourke, Contributor

The U.S. Securities and Exchange Commission released guidelines last week that aid public companies in deciding when and what should be disclosed to investors regarding even the potential of security breaches.

The initiative by SEC’s Division of Corporation Finance intends for companies to “disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” according to the guidelines.

In the statement, the SEC explains that it would like to see a discussion of possible security risks and what the consequences of those risks entail, how the company plans to counteract possible attacks, descriptions of previous attacks, what would happen if an attack went undetected for a period of time and insurance details.

To determine whether they must disclose information, a company should “evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.”

“For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur,” said the guidelines. Instead, the company should discuss the possibility of the attack occurring again and the previous as well as potential consequences that the company could experience.

According to the release, it is not intended to be a rule or a regulation and it’s “neither approved nor disapproved” by the Commission. It’s simply a “roadmap” for those who seek guidance in security efforts in a time of an augmented number of cyber incidents.

From the SEC risk factor disclosures should include:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.
  Bookmark and Share     Comment     RSS Feed     Email a friend

Comment on this Post


You must be logged-in to post a comment. Log-in/Register

Sumit30  |   May 18 2012   9:57AM GMT

job fair.The engineering program requires constant struggle for research dollars, which at some level requires a useful product (research) to be sold on the open market


 

Sumit30  |   May 19 2012   6:22AM GMT

I got a great idea about commenting from Sue Waters of The Edublogger. She recommended letting students earn extra points for writing a high-quality comment, and it definitely works!.stellenangebote berlin || SSC Result


 

Polard  |   May 23 2012   12:52PM GMT

Nicely explained. It’s indeed an art to stop new visitors with your attractive writing style. Truly impressive and nice information. Thanks for sharing. used cars for sale


 

Polard  |   May 24 2012   11:33AM GMT

I’m getting sick of Ubuntu’s seemingly random changes. I’m thinking of switching to Debian permanently. Does anyone know if there’s a list. Grand Junction Auction


 

Polard  |   May 25 2012   5:50AM GMT

I am so glad I came across this post. I love finding new posts to read. I think you made some good points in Features also. House cleaning