The U.S. Securities and Exchange Commission has told public companies to disclose cyber attacks that could potentially lead to unexpected losses.
The guidelines issued on Thursday follow a rash of cyber attacks that have caused lawmakers to ask for clearer instructions on reporting cyber crimes. The guidance tells companies what they may be required to disclose.
Senator John Rockefeller asked the SEC to issue the rules amid fears that companies were failing to mention data breaches in their public filings. The SEC said that if a cyber attack occurs and leads to losses, then companies should disclose the losses, or at least estimates of what is “reasonably possible.”
“Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything,” Rockefeller said in a statement to Reuters.
Breaches have occurred at big companies such as Sony, Google, Lockheed Martin, Citigroup, the International Monetary Fund and others. The SEC said it will not require companies to describe how they will further protect themselves, as that may only give ammunition to criminal hackers on how to attack the companies.
Companies are on the hook for disclosing costs of fixing compromised networks, increased cyber protection costs that may include changes to personnel, lost revenues from unauthorized access to information, losses related to the failure to retain customers after an attack, litigation costs, and reputation damage after an attack.