SEC Staffers Give Advice On Cyber-Risk Disclosure


Washington — Publicly traded cable and broadcast
companies should be on notice that they may need to
inform their stockholders of any online security breaches
or risk running afoul of government regulators.

Securities and Exchange Commission staffers have
advised public companies to keep cybersecurity in
mind when deciding
which information is
material to their

have been asking
the agency for advice
along these
lines, and a powerful
U.S. senator
asked the agency
to clarify its requirements.

Staffers in the
SEC’s Division
of Corporate Finance
noted that
cyber attacks can
cost companies
big bucks in lost
revenue and litigation
fees, and
can have other
negative consequences,
such as
damage to a company’s
reputation that affects investor confidence.

SEC rules require that companies disclose information
about “risks and events” that a reasonable investor
would consider important to know.

The advisory, issued on Oct. 13, does not mandate
the disclosure of any cybersecurity information. And
it is not a new rule or a statement of official commission

But the SEC disclosure rules are fairly broad anyway,
so the advice is essentially a signal that in a
digital world where broadband is the new engine
of commerce and communications, companies are
likely going to be expected to include incidents and
threats in disclosure forms.

“This guidance fundamentally changes the way
companies will address cybersecurity in the 21st
century,” Sen. Jay Rockefeller (D-W. Va.). said of the
guidelines. He had asked the SEC to clarify corporate
disclosure requirements for cybersecurity breaches.

The commission, though, did not officially endorse
the advisory. “It does not create any new requirements
of modifying existing requirements. It is just
providing advice on how to consider cybersecurity issues,”
an SEC spokesperson said.

Companies, accountants and lawyers had sought
guidance on how they should treat cybersecurity
breaches in disclosures, according to the SEC staffers.

An SEC source said that such advisories are not
routinely converted to mandates. But some have
been adopted as rules, including some advisories
that date back to the so-called Y2K bug, when the
arrival of Jan 1, 2000, was supposed to cause massive
computer issues.

Congress is independently considering legislation
with data-breach and cyber-attack reporting requirements.