The Securities and Exchange Commission said publicly traded companies should disclose to investors the threat and potential impact of cyber attacks that pose a “specific and material” risk.
The SEC made its comments in a letter to Senator Jay Rockefeller, chairman of the Senate Commerce Committee, that was released Wednesday. Last month, Rockefeller and four other Democratic senators wrote a letter to SEC Chairman Mary Schapiro urging the agency to issue guidance on disclosure of data security risk, including “material network breaches,” attacks that may result in the theft of intellectual property or trade secrets.
Federal securities law obliges public companies to disclose risks that a reasonable investor would consider important to an investment decision, the SEC said in its letter. Those disclosures may include reporting a prior cyber attack or the threat of a future attack, as well as the impact of a computer assault, the SEC said.
“Although we are not aware that investors have asked for more disclosure in this area, I have asked the commission staff to provide me with a briefing on current disclosure practices,” Shapiro said in the letter dated June 6. “As we further analyze this issue, we will seriously consider your request for interpretive guidance.”
Data breaches at Sony Corp. and other companies have sharpened U.S. government scrutiny of how businesses safeguard consumer information and respond to cyber attacks. The Obama administration on May 12 sent Congress a proposal that called for shielding banks, power grids and government computers, creating a uniform data-breach notification law and requiring owners of critical systems to develop network-security plans.
“Securing cyberspace is one of the most important and urgent challenges of our time,” Rockefeller, a West Virginia Democrat, and the other senators wrote to the SEC on May 11. “It is essential that corporate leaders know their responsibility for managing and disclosing security risk.”
A “substantial number” of companies don’t report information security risk to investors, and when they do, the results are inconsistent, they wrote. Such lack of information devalues security and “impairs investor decision-making,” according to the letter, which also was signed by Richard Blumenthal of Connecticut, Robert Menendez of New Jersey, Mark Warner of Virginia and Sheldon Whitehouse of Rhode Island.
Malicious attacks made up 31 percent of U.S. data breaches in 2010, up from 24 percent a year earlier, with each incident costing businesses an average of $7.2 million, according to a March study by the Ponemon Institute, an information-security research firm based in North Traverse City, Michigan. The study found that about 85 percent of all U.S. companies have experienced one or more attacks.