SEC orders firms to come clean about data breaches

The Securities and Exchange Commission (SEC) has ordered companies to disclose security breaches, following a year in which several organizations have been criticized for revealing details late, if at all.

Clearly, breaches in security can have a massive effect on a company’s bottom line – just look at Sony, for example. And, according to those who have been pushing for the change, it’s something investors have the right to know about.

“Cyber incidents may result in losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts,” says the SEC in its new guidance notes.

“Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.”

Even the risk of a potential cyber incident should be reported in many cases, says the SEC.

“Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” it says.

Earlier this year, Citicorp was heavily criticized after it emerged that the company had waited weeks before disclosing a massive hack that hit 360,000 credit card owners.

Sony, too was accused of tardiness when disclosing the hack of the PlayStation Network – indeed, it was this that prompted a group of US lawmakers to call for the changes to the SEC rules.

Two years ago, a report from insurance underwriter Hiscox concluded that 38 percent of Fortune 500 companies had made a ‘significant oversight’ by failing to mention their risk of a data breach in their public filings.