SEC Says Public Firms May Need To Disclose Cyberattacks

Trailrunner7 writes "The Securities and Exchange Commission has issued new guidance to help public companies determine when they may need to disclose an attack — or even a potential attack — in order to make potential investors aware of possible risks to the company's business. The guidance, which does not constitute a rule or requirement for companies to disclose, is meant to help registrants in 'assessing what, if any, disclosures should be provided about cybersecurity matters.'"

Re:Sure

[chill]

Potentially attacked means an incident occurred, but you aren't sure if it is a specific, targeted attack or just an incident of random infection.

And yes, they do disclose this on their annual FISMA filings. You will also see the information in the annual Inspector General reports filed with Congress on every agency.

Re:Sure

[citylivin]

"Potentially attacked means an incident occurred, but you aren't sure if it is a specific, targeted attack or just an incident of random infection."

I guess you have never looked through your logs, or run an IDS system in your place of work or home. Attacks are literally happening all the time. The amount of people guessing passwords on an ftp, or simply throwing php exploits at your webserver can be tens or hundreds of IP addresses a day.

This is a joke, or else they don't understand the meaning of "potential" attack.

I am all for disclosing when a company or organization gets legitimately hacked. But potential attacks? that would be literally thousands of lines of log files daily, even on a home connection.