By Cydney Posner

Following is a link to a Bloomberg article regarding a just-released letter in which the SEC admonishes public companies to "disclose to investors the threat and potential impact of cyber attacks that pose a ‘specific and material' risk." These disclosures might include a discussion of a prior cyber attack or the threat of a future attack, as well an attack's potential impact. http://www.bloomberg.com/news/2011-06-08/sec-says-companies-should-disclose-cyber-attacks-in-filings.html.

The letter was directed to Senator Jay Rockefeller, chair of the Senate Commerce Committee, in response to the Committee's request that the SEC issue guidance on disclosure of security risks related to breaches of security and unauthorized data disclosure. According to The Hill, Schapiro wrote that whether "a company is required to provide risk factor disclosure regarding potential cyber attacks, including the potential financial or reputational impacts of the attacks, will depend on the facts and circumstances of the company, and the determination of various factors, including the probability of the risk occurring and the magnitude of the risks." Although the SEC has not yet heard any clamor from investors for more disclosure regarding cyber attacks or network security, she has "asked the staff to advise me on whether additional guidance is needed to make sure investors have access to the information they need when making their investment decisions …. As we further analyze this issue, we will seriously consider your request for interpretive guidance."

The request from Rockefeller followed the hacking of Sony's PlayStation Network, which put the personal information of 77 million consumers into jeopardy, according to The Hill. The Committee was dismayed that there was a delay before the company released information about the attack, and the Committee's letter expressed concern that a "substantial number" of companies do not consistently report information security risks to investors on a timely basis. The absence of this information "impairs investor decision-making," the Committee argued. According to Bloomberg, malicious attacks made up 31% of U.S. data breaches in 2010, with each incident costing businesses an average of $7.2 million; a March study by the Ponemon Institute, an information-security research firm, found that about 85% of all U.S. companies have experienced one or more attacks.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as "Cooley"). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. When advising companies, our attorney-client relationship is with the company, not with any individual. This content may have been generated with the assistance of artificial intelligence (Al) in accordance with our Al Principles, may be considered Attorney Advertising and is subject to our legal notices.