Securities and Exchange Commission Urges Companies to Disclose Cybercrime

With 55 thousand pieces of malware  counted every single day, governments and corporations have been focusing their attention on this growing issue, and ways to deal with it. One of the major steps towards the fight against cybercrime has been made in the end of 2011 by The Securities and Exchange Commission (SEC), which declared the guidance of the cybercrime disclosure:

“For a number of years, registrants have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks to registrants associated with cybersecurity have also increased, resulting in more frequent and severe cyber incidents. Recently, there has been increased focus by registrants and members of the legal and accounting professions on how these risks and their related impact on the operations of a registrant should be described within the framework of the disclosure obligations imposed by the federal securities laws. As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.” – SEC (October 13, 2011)

The recently introduced rule puts all of the responsibility to deal with cyber crime on companies themselves, and they could face accusations for negligence dealing with cybercrime, if no measures were taken to fight it. SEC even urges these companies to inform their investors about cybercrime incidents, which, without a doubt, could endanger reputation, stock prices or even put companies at risk of lawsuits. SEC has declared that cybercrime disclosure within companies is not stringent; however, the Commission leaves its own right to monitor companies and their actions towards ensuring that all data is protected against hacking, and cybercrime incidents are reported.

According to Associated Press, a survey, which focused on manufacturing, transportation and chemical industry companies showed that all but two parties out of 168 had systems compromised and sensitive data stolen. This number is extremely worrying, and there is no question why SEC is determined to ensure that all companies are transparent with their customers, investors and other parties. As an example of such activity concealment the source mentioned Verisign, which develops network based services, including those of security. The company has been reported to hide successful cyber attacks from its registrants. Sensitive data has also been stolen from such popular companies as MSN, Fcebook or LinkedIn, and it seems that virtual communities all over the world could benefit from all companies complying to SEC request to expose data breaching or any other cybercrime incidents.

Unfortunately, as Reuters reports, companies are not rushing to inform about cyber attacks, and hide such incidents much more often than expose them. It is unlikely for the situation to change until much stricter laws are enforced upon companies, and they are forced to declare all cybercrime incidents.