US companies pushed to disclose cyberattacks

14.10.2011
Public companies may need to look more closely at their exposure to cyberattacks after new guidelines were released this week by the U.S. Securities and Exchange Commission.

The , from the SEC's division of corporation finance, aim to help companies determine when they need to disclose cyberattacks or the amount of risk they pose to a business.

In general, public companies in the U.S. are required to disclose incidents that could have a material impact on their business. While the current regulations don't specifically mention cyberattacks, the new guidelines say they need to be reported in some cases.

Companies should disclose the risk of cyber-incidents "if these issues are among the most significant factors that make an investment in the company speculative or risky," say the guidelines, issued late Thursday

To determine that, companies need to look at factors such as how likely it is they will be targeted by an attack and what the cost of an attack might be, in terms of disruption to operations or loss of sensitive data.

They may also be required to give details about hacking incidents that took place in the past.