SEC Says Public Firms May Need To Disclose Cyberattacks

Trailrunner7 writes "The Securities and Exchange Commission has issued new guidance to help public companies determine when they may need to disclose an attack — or even a potential attack — in order to make potential investors aware of possible risks to the company's business. The guidance, which does not constitute a rule or requirement for companies to disclose, is meant to help registrants in 'assessing what, if any, disclosures should be provided about cybersecurity matters.'"

Does this include banks?

[John.P.Jones]

If banks can write off fraud as an undisclosed loss without disclosing the truth I don't see why Sony can't do the same.

Sure

[Moheeheeko]

Becuase the government totally discloses every time the country is "potentially attacked"

Re:Sure

[chill]

Potentially attacked means an incident occurred, but you aren't sure if it is a specific, targeted attack or just an incident of random infection.

And yes, they do disclose this on their annual FISMA filings. You will also see the information in the annual Inspector General reports filed with Congress on every agency.

Re:Sure

[citylivin]

"Potentially attacked means an incident occurred, but you aren't sure if it is a specific, targeted attack or just an incident of random infection."

I guess you have never looked through your logs, or run an IDS system in your place of work or home. Attacks are literally happening all the time. The amount of people guessing passwords on an ftp, or simply throwing php exploits at your webserver can be tens or hundreds of IP addresses a day.

This is a joke, or else they don't understand the meaning of "potential" attack.

I am all for disclosing when a company or organization gets legitimately hacked. But potential attacks? that would be literally thousands of lines of log files daily, even on a home connection.

So it'll have the same effect as the SEC

[DCFusor]

None at all.

As it stands...

[Synerg1y]

Sony only disclosed because PSN went down and people noticed. We don't know if they really disclosed everything or not. It's a little more complicated though, I think that with this being labeled as guidance is a step towards harder regulations on corporate security and consumer standards for privacy when submitting data to a corporation. As it stands it's unregulated and people have taken advantage of it.

Argh

"In order to make potential investors aware of possible risks to the company's business"

Right, they won't do this for CUSTOMERS, but they have a change of opinion when it comes to INVESTORS.

Anyone remember this story?

[TubeSteak]

http://yro.slashdot.org/story/11/09/09/1843228/New-Legislation-Would-Punish-Mishandling-of-Private-Data

I looked at the actual text of the legislation and it essentially said that if there's no risk that "sensitive personally identifiable information" was lost, then companies did not have to report the breach.

I'm glad the SEC's rules are much more expansive than the crap ideas our legislators came up with.
I expect to see a lot more disclosures of hacking in the future.

Dear SEC,

[Medievalist]

Dear SEC,

We connected our enterprise to the Internet in October 1992. Starting roughly two weeks from that time, we have been under continuous attack from various robots, disgruntled former employees, botnets, viruses, worms, and possibly space aliens. Honestly, we really don't even try to check on the origin of these attacks, we just tarpit them all.

Should you require more detail, we can arrange a real-time feed from our firewall systems, which are currently being attacked roughly every four seconds, just like every other network of our size in the entire world.

Please feel free to attempt to determine the source and purpose of these attacks, since clearly you are no longer interested in monitoring the world's business economy and thus helping ensuring a free and fair marketplace.

Sincerely,
--Any Large Internet-connected Business