* Lays out examples of things companies might disclose
* Calls for reports of attacks, remediation steps
(Adds details on guidance, background)
By Jim Finkle and Sarah N. Lynch
BOSTON/WASHINGTON, Oct 13 U.S. securities
regulators formally asked public companies for the first time
to disclose cyber attacks against them, following a rash of
high-profile Internet crimes.
The Securities and Exchange Commission issued guidelines on
Thursday that laid out the kind of information companies should
disclose, such as cyber events that could lead to financial
losses.
Senator John Rockefeller had asked the SEC to issue
guidelines amid concern that it was becoming hard for investors
to assess security risks if companies failed to mention data
breaches in their public filings.
"Intellectual property worth billions of dollars has been
stolen by cyber criminals, and investors have been kept
completely in the dark. This guidance changes everything,"
Rockefeller said in a statement.
"It will allow the market to evaluate companies in part
based on their ability to keep their networks secure. We want
an informed market and informed consumers, and this is how we
do it," Rockefeller said in a statement.
There is a growing sense of urgency about cyber security
following breaches at Google Inc (GOOG.O), Lockheed Martin Corp
(LMT.N), the Pentagon's No. 1 supplier, Citigroup (C.N), the
International Monetary Fund and others.
Tom Kellermann, chief technology officer of security firm
AirPatrol Corp, said that the SEC guidance tells companies to
report cyber attacks and disclose steps to remediate problems.
"They must also incorporate cyber events into their
material risk reports," said Kellermann, who has advised U.S.
President Obama on cyber policy.
The SEC gets into specifics, telling companies what type of
data they might need to provide investors.
"Examples of estimates that may be affected by cyber
incidents include estimates of warranty liability, allowances
for product returns, capitalized software costs, inventory,
litigation, and deferred revenue," it says.
(The document can be accessed on the SEC's website:
www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm )
A report out earlier this month found that U.S. banks are
losing ground in the battle to combat credit and debit card
fraud because they balk at the expense of higher security.
Globally, however, security is improving in the payment
industry, according to data from The Nilson Report, a
California trade publication.
There is some hope of U.S. legislation to address the
problem, although the House of Representatives appears more
interested in tackling it piecemeal while the Senate is opting
for a more far-reaching approach.
Most of the concern has been focused on critical facilities
like nuclear power, electricity, chemical and water treatment
plants.
(Reporting by Sarah N. Lynch in Washington and Jim Finkle in
Boston; Editing by Gary Hill, Bob Burgdorfer and Carol
Bishopric)