SEC: Firms must disclose relevant cyber attacks

Securities and Exchange Commission Chairman Mary Schapiro says public companies must disclose cyber attacks or risk factors that may be relevant to investors.

Chairman Schapiro responded this week to a letter last month from Senate Commerce chairman Jay Rockefeller (D-WV) and several Senate Democrats asking the SEC to clarify that firms must disclose any network breach that could jeopardize the firm's intellectual property or trade secrets. In her response Chairman Schapiro argued existing disclosure requirements under federal securities law require firms to disclose risks and events that a reasonable investor would consider important to an investment decision. She noted there is some flexibility in how the rules are administered. "Whether a company is required to provide risk factor disclosure regarding potential cyber attacks, including the potential financial or reputational impacts of the attacks, will depend on the facts and circumstances of the company, and the determination of various factors, including the probability of the risk occurring and the magnitude of the risks," Chairman Schapiro wrote. She said the SEC generally considers whether information would impact an investment decision when enforcing its disclosure requirements. For example, if a firm's trade secrets were breached in a cyber attack, it may be required to disclose the effect of the breach on its operations.