SEC Mandates Cyber-Attack Disclosures


On October 13th, 2011, the Securities and Exchange Commission (“SEC”) issued new guidelines which require publicly-traded companies to: (i) disclose when they fall victim to cyber-attacks; and (ii) describe any intellectual property stolen by hackers.[1] For example, if a virus infiltrates a company’s computer network, the company “may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.”[2]

These guidelines were prepared as a response to a letter from Senator John Rockefeller asking the SEC to clarify whether public companies have a duty to disclose cyber-attacks or data breaches.[3] As Rockefeller notes,”[i]ntellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything.”[4]

Prior to Senator Rockefeller’s inquiry, publicly-traded companies were not expected to report computer intrusions or even whether the situation had been resolved.  In fact, only banking institutions and the health care sector were required to report such attacks.[5] However, in May of 2011, a Senate Commerce Committee review of previous SEC filings found that companies were maintaining low cyber security standards, were reluctant to improve their cyber security and were not forthcoming about their vulnerability to cyber attacks.[6] This gave the Committee reasonable cause for concern, given the recent breaches of cyber security experienced at companies such as Google Inc., Lockheed Martin Corp., and Citigroup.  Indeed, U.S. banks such as Citigroup appear to be losing ground in their struggle to defend against credit and debit card fraud because they are hesitant to pay a premium for better cyber security measures.[7] Moreover, a recent survey conducted by McAfee and Science Applications International Corporation found that out of one thousand participating global companies, only ten reported all of their respective cyber-attacks.[8] However, the Nilson Report has found that cyber security has ultimately been improving within the international banking industry.[9]

As of next year, all publicly-traded companies will have to report cyber-attacks to the SEC, along with a summary of proposed measures the company intends to  implement to tighten cyber security.[10] According to Tom Kellermanm, chief technology officer of AirPatrol Corp., publicly-traded companies will not be pleased by this. “They’re going to freak out,” he said…They would rather live in a land where they can hide behind the veil of plausible deniability.”[11]

It is easy to understand why public companies would be so averse to reporting their vulnerability to cyber-attacks.  Pride and inconvenience are two factors that immediately come to mind. However, if such disclosure results in the pervasive corporate adoption of heightened cyber security measures and I.P. protection, public companies may end up better off than they currently appreciate.  After all, admitting there is a problem is the first step to curing it.

[1] Division of Corporation Finance, Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2, (last visited October 25, 2011).

[2] Id.

[3] Gerald Smith, SEC Says Public Companies Must Disclose Cyberattacks, (last visited October 25, 2011).  Note: Senator Rockefeller is the Chairman of the Senate Commerce Committee.

[4] Jim Finkle and Sarah N. Lynch, SEC Tells Companies to Disclose Cyber Attacks, (last visited October 25, 2011).

[5] Smith, supra.  Note: banks are required to report cyber-attacks by the Department of the Treasury and Health Care providers are under similar obligations from the Department of Health and Human Services. 

[6] Id.

[7] Finkle and Lynch, supra.

[9] Id. The Nilson Report is a California trade publication

[10] Smith, supra.

[11] Id.

Leave a Reply

Your email address will not be published. Required fields are marked *