Home / Blogs

SEC Asks Companies to Disclose Cyberattacks

I came across an interesting article on Reuters today:

U.S. securities regulators formally asked public companies for the first time to disclose cyber attacks against them, following a rash of high-profile Internet crimes.

The Securities and Exchange Commission issued guidelines on Thursday that laid out the kind of information companies should disclose, such as cyber events that could lead to financial losses.


There is a growing sense of urgency about cyber security following breaches at Google Inc, Lockheed Martin Corp, the Pentagon’s No. 1 supplier, Citigroup, the International Monetary Fund and others.


The SEC gets into specifics, telling companies what type of data they might need to provide investors.

“Examples of estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue,” it says.

(The document can be accessed on the SEC’s website: www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm)

A report out earlier this month found that U.S. banks are losing ground in the battle to combat credit and debit card fraud because they balk at the expense of higher security. Globally, however, security is improving in the payment industry, according to data from The Nilson Report, a California trade publication.

[Source: Reuters]

This is a pretty big step for the SEC. Requiring companies to disclose when they have been hacked shifts the action on corporations from something voluntary to something that they have to do. The question is do we want to hear about everything? And who even has the expertise to figure out what’s been stolen and what the financial damage is?

I’ve read a lot of articles on cyber hacks earlier this year and many of the authors say that there are two types of companies: those that have been hacked, and those who don’t they have been hacked. In the case of the SEC, they may as well start advising investors that if you’re investing in a big company (certainly amongst the Fortune 500), you may as well assume that they are a victim of a cyber attack whether they have disclosed it or not. Investors ought to include that into their discount cash flow analysis.

But I wonder if the reverse is true? If knowing that companies are the victims of a cyber attack causes a company to be evaluated differently because of the risk, then does knowing whether another company is the beneficiary of that stolen data decrease the risk?

For example, if China is well known for stealing sensitive data from western corporations and giving it to their own competitive industries, does that make investing in Chinese companies less risky? For example, Google has twice (so far, at least publicly) been the victim of a cyber hack and the evidence has led back to China. Does this mean that it’s safer to invest in Baidu than Google?

Hmm, makes you think.

(Disclosure: at time of this writing, I am not long either Google or Baidu although I have owned both stocks in the past)

By Terry Zink, Program Manager

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API