Sen. Rockefeller calls SEC cybersecurity guidance a game-changer

New guidance from the Securities and Exchange Commission directing companies to disclose cybersecurity risks and incidents to shareholders will fundamentally change the way those firms address the issue, according to Senate Commerce Chairman Jay Rockefeller (D-W.Va.).

“This guidance fundamentally changes the way companies will address cybersecurity in the 21st century," Rockefeller said in a statement. "This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure."

ADVERTISEMENT
The guidance from SEC's Division of Corporate Finance notes the increased interest from investors on the potential risk firms face from an attack on their networks, which could compromise a firm's intellectual property or cause a disruption to its operations. Firms could be required to disclose potential risk factors as part of their filings for investors and regulators.

"Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents," the guidance states.

"Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents."

Firms should disclose the risk of cyber incidents if it is among the prime factors that would make investing in the company speculative or risky. Companies must take all relevant information into account when determining whether a disclosure of risk is required, including the severity and frequency of previous cyber incidents.

"For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them," Rockefeller said. "Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark."

Firms that experience cyber attacks and must subsequently beef up their networks protections are also directed to note those increased expenditures in their filings.

The guidance clearly states that firms needn't release a detailed roadmap of their cybersecurity procedures, as doing so could increase the risk of future attacks.