Cyber Security On The Investor Agenda

Neville Hobson By Neville Hobson
Expert Author
Article Date:

US securities regulators have formally asked public companies for the first time to disclose cyber attacks against them, reports Reuters.

The  US Securities and Exchange Commission issued guidelines on October 13 that sets out the kinds of information companies should disclose relating to cyber security risks and cyber incidents:

[…] Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.

In its guidance document, the SEC says that reporting on cyber security risks and cyber incidents should be included in Management’s Discussion and Analysis of Financial Condition and Results of Operations ( MD&A).

The SEC also makes clear that the guidance is just that, not a rule, regulation, or statement, although I can’t imagine many publicly-listed companies covered by SEC oversight not making any disclosure if warranted.

The SEC’s guidance is comprehensive in scope, enabling any company to clearly see what they need to do.

The subject of cyber security is high on the political agenda, too. Next month, the London Conference on Cyberspace takes place with a stated aim of offering “a focused and inclusive dialogue to help guide the behaviour of all in cyberspace.” Speakers include senior representatives from governments, business and civil society.

In addition  to the physical event in London on November 1 and 2, the conference embraces online communities where anyone can participate in debate and dialogue via the Twitter hashtag  #LondonCyber.

Follow the conference on Twitter:  @LondonCyber.


About Neville Hobson
Neville Hobson is the author of the popular blog which focuses on business communication and technology.

Neville is a UK-based communicator, blogger and podcaster. He helps companies use effective communication to achieve their business goals. Visit Neville Hobson's blog:

Leave a Reply

Your email address will not be published. Required fields are marked *

  • 160×600
  • Newsletter Signup

    Newsletter Signup

    * Your Email Address:
       First Name:
       Last Name:
  • 336×280