We noted recently that all the security breaches this year have thrust the issue of disclosure into the spotlight. Some companies, like Citigroup, were criticized--fairly or not--for what some critics saw as tardy disclosure to customers. Other companies, like EMC, were questioned by the SEC about the costs stemming from the beach of its RSA security unit, which was victimized in March. 

Given that cyber threats are rising fast for all companies, the SEC was wise to issue guidelines about disclosure requirements for victimized companies. 

Currently, companies are not bound by an explicit disclosure requirement regarding cyber security risks and incidents. But several disclosure requirements "may impose an obligation on registrants" to disclose them anyway. Material information regarding cyber security risks and incidents is "required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading." The guidance says that companies should consider including the cost of replacing assets, repairing IT systems, implementing cyber security services and hiring third party vendors. Companies may also need to disclose revenue impact. 

While the guidelines are certainly welcome, companies still need to ponder some big issue. Cfo.com notes that the guidance "will still cause some head-scratching for CFOs as they debate what type of information to include, particularly in the short time following a cyberattack when its full impact has not yet been felt." Early on anyway, the impact may be difficult to gauge. 

The real change may be the new urgency and legal risk associated with breaches, even the minor ones. Some companies may now be tempted to err on the side of caution and disclose early. The result may be more disclosures, which would not necessarily be a bad thing, as a high percentage of security breaches go un-reported. You can understand why executives would want to underplay incidents. But that may be a less tenable position now. -Jim