Healthcare // Analytics
02:23 PM

SEC Mandates Cyber Incident Reporting

Securities and Exchange Commission issues its first guidance for how and when companies should report cybersecurity or other incidents that pose a cyber risk.

The Securities and Exchange Commission (SEC) has issued its first official guidance for how companies should report cybersecurity incidents that could have a negative impact on operations or their financial status.

The SEC's division of corporate finance this week presented several specific criteria for the disclosure of cyber incidents, according to guidance presented on its website.

The SEC long has required companies to report any incidents that could impact their financial performance, but to date has not outlined requirements for disclosing cybersecurity or other cyber incidents in particular.

[What are government IT pros' most pressing problems? Read our original research on the Federal Government's IT Priorities.]

However, with the growing dependence on the Internet and other digital communications for business functions, companies as well as their accountants and lawyers have asked the SEC to provide a framework for disclosing cyber incidents, according to the commission.

"As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant's specific facts and circumstances," the SEC said.

According to the SEC, companies should disclose the risk of cyber incidents if "these issues are among the most significant factors that make an investment in the company speculative or risky." Companies should consider prior cyber incidents and the severity and frequency of those incidents to determine if they need to report a cyber risk, according to the guidance.

The SEC also advises companies to take into account the actions they take to prevent and reduce risks in the context of their particular industry, as well as risks to that security. To put risks reported under these criteria in context, the SEC said a company may need to disclose "known or threatened cyber incidents."

Companies also should address cybersecurity risks in their management, discussion, and analysis (MD&A) reporting if costs or consequences of a known risk will have a material impact on the company, according to the SEC.

Moreover, cyber incidents that could materially affect products, services, relationships with customers or suppliers, or competitive conditions also should be reported. This should be done in a company's "description of business" reporting, according to the SEC.

Cybersecurity incidents also may need to be reported on a company's financial statements, "depending on the nature and severity of the potential or actual incident," the commission said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Healthcare data is nothing new, but yet, why do healthcare improvements from quantifiable data seem almost rare today? Healthcare administrators have a wealth of data accessible to them but aren't sure how much of that data is usable or even correct.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.