SEC Mandates Cyber Incident Reporting - InformationWeek
Healthcare // Analytics
02:23 PM

SEC Mandates Cyber Incident Reporting

Securities and Exchange Commission issues its first guidance for how and when companies should report cybersecurity or other incidents that pose a cyber risk.

The Securities and Exchange Commission (SEC) has issued its first official guidance for how companies should report cybersecurity incidents that could have a negative impact on operations or their financial status.

The SEC's division of corporate finance this week presented several specific criteria for the disclosure of cyber incidents, according to guidance presented on its website.

The SEC long has required companies to report any incidents that could impact their financial performance, but to date has not outlined requirements for disclosing cybersecurity or other cyber incidents in particular.

[What are government IT pros' most pressing problems? Read our original research on the Federal Government's IT Priorities.]

However, with the growing dependence on the Internet and other digital communications for business functions, companies as well as their accountants and lawyers have asked the SEC to provide a framework for disclosing cyber incidents, according to the commission.

"As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant's specific facts and circumstances," the SEC said.

According to the SEC, companies should disclose the risk of cyber incidents if "these issues are among the most significant factors that make an investment in the company speculative or risky." Companies should consider prior cyber incidents and the severity and frequency of those incidents to determine if they need to report a cyber risk, according to the guidance.

The SEC also advises companies to take into account the actions they take to prevent and reduce risks in the context of their particular industry, as well as risks to that security. To put risks reported under these criteria in context, the SEC said a company may need to disclose "known or threatened cyber incidents."

Companies also should address cybersecurity risks in their management, discussion, and analysis (MD&A) reporting if costs or consequences of a known risk will have a material impact on the company, according to the SEC.

Moreover, cyber incidents that could materially affect products, services, relationships with customers or suppliers, or competitive conditions also should be reported. This should be done in a company's "description of business" reporting, according to the SEC.

Cybersecurity incidents also may need to be reported on a company's financial statements, "depending on the nature and severity of the potential or actual incident," the commission said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll