By Jim Finkle and Sarah N. Lynch
BOSTON/WASHINGTON, Oct 13 U.S. securities
regulators on Thursday issued guidelines for public companies
to follow in disclosing cyber attacks following a rash of
Internet crimes that caused lawmakers to call for clearer
guidance on reporting the crimes.
The guidance, posted late on Thursday by the U.S.
Securities and Exchange Commission, lays out examples of things
that companies may be required to disclose. The guidance comes
after Senator John Rockefeller asked the SEC to issue it amid
concern that companies were failing to mention data breaches in
public filings.
The SEC said in its guidance that if a cyber event occurs
and leads to losses then companies should "provide certain
disclosures of losses that are at least reasonably possible."
"Intellectual property worth billions of dollars has been
stolen by cyber criminals, and investors have been kept
completely in the dark. This guidance changes everything,"
Rockefeller said in a statement.
"It will allow the market to evaluate companies in part
based on their ability to keep their networks secure. We want
an informed market and informed consumers, and this is how we
do it," Rockefeller said in a statement.
Tom Kellermann, chief technology officer of security firm
AirPatrol Corp., said that the guidance tells companies to
report cyber attacks and disclose steps to remediate problems.
"They must also incorporate cyber events into their
material risk reports," said Kellermann, who has advised U.S.
President Obama on cyber policy.
There is a growing sense of urgency following breaches at
Google Inc (GOOG.O), Lockheed Martin Corp (LMT.N), the
Pentagon's No. 1 supplier, Citigroup (C.N), the International
Monetary Fund and others.
A report out earlier this month found that U.S. banks are
losing ground in the battle to combat credit and debit card
fraud because they balk at the expense of higher security.
Globally, however, security is improving in the payment
industry, according to data from The Nilson Report, a
California trade publication.
There is some hope of U.S. legislation to address the
problem, although the House of Representatives appears more
interested in tackling it piecemeal while the Senate is opting
for a more far-reaching approach.
Most of the concern has been focused on critical facilities
like nuclear power, electricity, chemical and water treatment
plants.
