Public companies may need to look more closely at their exposure to cyber attacks after new guidelines came out this week by the U.S. Securities and Exchange Commission (SEC).
The guidelines, from the SEC’s division of corporation finance, aim to help companies determine when they need to disclose cyber attacks or the amount of risk they pose to a business.
In general, public companies in the U.S. must disclose incidents that could have a material impact on their business. While the current regulations don’t specifically mention cyber attacks, the new guidelines say companies need to report them in some cases.
Companies should disclose the risk of cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky,” according to the new guidelines.
To determine that, companies need to take a risk assessment to find how likely they will be the target of an attack and what the cost of an attack might be, in terms of disruption to operations or loss of sensitive data.
They may also have to give details about hacking incidents that took place in the past.
“For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur.” Instead, they would probably have to reveal specifics of the incident, the SEC said.
The guidelines come in a year that has seen numerous high-profile hacking incidents, including a massive attack on Sony that forced it to take its PlayStation Network offline for more than a month.