When the impact of a potential data security breach is significant enough, public companies must disclose it in advance.
Even potential data security breaches must be disclosed by U.S. companies in some circumstances, the Securities and Exchange Commission said today.
The move by the SEC is likely to shed more light on how publicly-traded companies are grappling with cybersecurity problems -- especially because the agency's ruling says that disclosure is needed when "the risk of potential incidents" becomes significant enough to impact the bottom line.
In a statement, the SEC indicated it would like to see:
• Discussion of aspects of the registrant's business or operations that give rise to material cybersecurity risks and the potential costs and consequences...
• Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences...
• Risks related to cyber incidents that may remain undetected for an extended period...
Today's announcement isn't exactly a surprise. A handful of Democratic U.S. senators had been pressing the agency (PDF) since May to take steps in this direction.
Companies have disclosed actual attacks before--just not, generally, potential ones. The new order thus marks a significant shift in required disclosure.
"For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them," Sen. John Rockefeller IV, chairman of the Senate Commerce committee said. "Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. "
This kind of regulation may be what billionaire investor Peter Thiel, a member of Facebook's board of directors, had in mind when he told CNET last month that there are good reasons for companies not to go public.
Thiel said: "There's simply a degree to which public companies are given a scrutiny that is much greater and much more heavily regulated than private companies... The correct decision that people have made in the last decade in Silicon Valley has been to try to defer the IPO process as long as possible."