U.S. securities regulators on Thursday issued guidelines for public companies to follow in disclosing cyber attacks following a rash of Internet crimes that caused lawmakers to call for clearer guidance on reporting the crimes.
The guidance, posted late on Thursday by the Securities and Exchange Commission, lays out examples of things that companies may be required to disclose. The guidance comes after Senator John Rockefeller asked the SEC to issue it amid concern that companies were failing to mention data breaches in public filings.
The SEC said in its guidance that if a cyber event occurs and leads to losses then companies should provide certain disclosures of losses that are at least reasonably possible.
Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything, Rockefeller said in a statement.
It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it, Rockefeller said in a statement.
Tom Kellermann, chief technology officer of security firm AirPatrol Corp., said that the guidance tells companies to report cyber attacks and disclose steps to remediate problems.
They must also incorporate cyber events into their material risk reports, said Kellermann, who has advised U.S. President Obama on cyber policy.
There is a growing sense of urgency following breaches at Google Inc, Lockheed Martin Corp, the Pentagon's No. 1 supplier, Citigroup, the International Monetary Fund and others.
A report out earlier this month found that U.S. banks are losing ground in the battle to combat credit and debit card fraud because they balk at the expense of higher security. Globally, however, security is improving in the payment industry, according to data from The Nilson Report, a California trade publication.
There is some hope of U.S. legislation to address the problem, although the House of Representatives appears more interested in tackling it piecemeal while the Senate is opting for a more far-reaching approach.
Most of the concern has been focused on critical facilities like nuclear power, electricity, chemical and water treatment plants.
(Reporting by Sarah N. Lynch in Washington and Jim Finkle in Boston; Editing by Gary Hill and Bob Burgdorfer)