Cyber incidents that affect a company’s finances or operations should be disclosed reported on a par with other operational and financial risks, according to a guidance issued by the Security and Exchange Commission’s Corporate Finance Division.

Sony’s PlayStation Network, Google and Citigroup have been some of the most high-profile companies to have their networks compromised. Hackers have illicitly obtained things like personal consumer information, credit card details, sensitive corporate information, confidential intellectual property, which led Senate Commerce Committee Chairman Jay Rockefeller (D-W.Va.) to request that the SEC address concerns that these data breaches were not being revealed [see his letter, below].

“Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark,” Rockefeller said in a statement. “This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it.”

SEC guidance does not have the power of law, but reputable companies generally adhere to their edicts. In this instance, companies are advised to “provide certain disclosures of losses that are at least reasonably possible” in the event of a network security breach.

Legal proceedings that result from cyber incidents are among the events that should be disclosed in SEC filings, the guidance says. Additionally, “if intellectual property is stolen in a cyberattack, and the effects of the theft would likely to be material, the company should describe the stolen property and the effect of the theft on operations and finances.” Companies also should disclose the effect “on products, services, relationships with customers or suppliers or competitive conditions.”

Related links:

SEC guidance document –

Reuters –

GovInfoSecurity –

Financial Times –

Image shows Angelina Jolie and Jonny Lee Miller in a poster for the 1995 movie “Hackers”