Firms hit by a cyber hacking will have to disclose what impact the attack had on its operations, the US Securities and Exchange Commission has ruled.
For the first time public firms have been asked to adhere to guidance, issued on Thursday, encouraging them to make a number of disclosures about cyber security risks and incidents.
“[Public companies] should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption,” the guidelines state.
The release comes in the wake of a raft of hacking incidents over the past year, most notably featuring an attack on the servers of Sony which saw the data of over 77m of its PlayStation users being compromised.
Among the issued guidance, firms are asked to gauge their unique risk of falling victim to an attack.
Companies should consider their vulnerabilities based on any prior cyber incidents, the severity and frequency of any attacks, any preventative actions it can perform, as well as any threats within the industry.
Detailed descriptions of any cyber incidents should also be divulged.
Noting the problem of firms having to provide too much information, the SEC said: “We are mindful of potential concerns that detailed disclosures could compromise cyber security efforts – for example, by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security – and we emphasise that disclosures of that nature are not required under the federal securities laws.”
Registered companies are also encouraged to calculate the costs of any cyber attacks, including the loss of stolen material intellectual property and possible indirect costs such as litigation fees.
All legal proceedings linked to cyber attacks also have to be divulged.
Hacking incidents could make a large dent in a firm’s financial statements. Companies should detail how much it has spent in preventing the attacks, how much it has lost on asserted and unasserted claims, and should also make estimations about future lost cash flows resulting from a cyber attack.
The SEC said that companies’ increasing dependence on digital technologies has made them more vulnerable to online attacks, prompting the regulator to create the guidelines.
No comments yet.
Login
Register
Most read
Most commented
GFS is pleased to offer you a two-week free trial.
You will receive a daily email bulletin of the latest regulatory news and analysis and a weekly email round-up.
Please complete the free trial form.
You will also receive full access to our online site.