For companies hit with a cyber attack the impact can be costly, both in terms of financial and reputational damage.
New guidelines issued by the Securities and Exchange Commission (SEC) late last week urging publicly traded companies to disclose cyber incidents will give investors a greater appreciation of the nature of these risks going forward.
According to an article in the Washington Post, the SEC guidelines make clear that publicly traded companies must report significant instances of cybertheft or attack, or even when they are at material risk of such an event:
The SEC guidance clarifies a long-standing requirement that companies report Ã¢â‚¬Å“materialÃ¢â‚¬ developments, or matters significant enough that an investor would want to know about them. The guidance spells out that cyberattacks are no exception.Ã¢â‚¬
The SEC itself notes that its cybersecurity disclosure guidance was prepared to be consistent with the relevant disclosure considerations that arise in connection with any business risk. It adds:
We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts Ã¢â‚¬“ for example, by providing a Ã¢â‚¬Å“roadmapÃ¢â‚¬ for those who seek to infiltrate a registrantÃ¢â‚¬â„¢s network security Ã¢â‚¬“ and we emphasize that disclosures of that nature are not required under the federal securities laws.Ã¢â‚¬
A recent study by Symantec and the Ponemon Institute put the average organizational cost of a data breach at $7.2 million in 2010, and cost companies an average of $214 per compromised record up from $204 in 2009.
The Identity Theft Resource Center (ITRC) notes that while many data breaches go unreported, more companies are revealing that they had a data breach, either due to laws or public pressure.