When to Report a Cyberattack? For Companies, That’s Still a Dilemma
- 6 years ago
When to Report a Cyberattack? For Companies, That’s Still a Dilemma
Yet, the S. E.C.’s new guidance doesn’t confront the practical quandary facing public companies
victimized by a cyberattack: Going public with news of a cyberattack isn’t always an easy call.
While the guidance acknowledges that it will often take time to “discern the implications” of a breach and
that it “may be necessary to cooperate” with law enforcement, it concludes that an active investigation would not “on its own” be a reason to avoid disclosure of a material cybersecurity incident.
It has been seven years since the Securities and Exchange Commission first advised public
companies to tell investors if they had suffered a cyberattack deemed to be material.
This tension between the need for discreet cooperation with law enforcement
and the obligation to inform investors and the markets creates a dilemma for public companies.
issued its initial cyber guidance, only 106 companies have reported incidents to the S. E.C.
While a proportion of those were private companies, it’s unlikely that public companies suffered only 106 breaches that were material in that time
Law enforcement often encourages, or even demands, that the incident not be disclosed.
Again, it warned public companies to make “timely” disclosure, recognizing the “grave threat”
that cybercrime poses to investors and the capital markets.
Perhaps this dilemma explains why so few public companies report breaches.
Yet, the S. E.C.’s new guidance doesn’t confront the practical quandary facing public companies
victimized by a cyberattack: Going public with news of a cyberattack isn’t always an easy call.
While the guidance acknowledges that it will often take time to “discern the implications” of a breach and
that it “may be necessary to cooperate” with law enforcement, it concludes that an active investigation would not “on its own” be a reason to avoid disclosure of a material cybersecurity incident.
It has been seven years since the Securities and Exchange Commission first advised public
companies to tell investors if they had suffered a cyberattack deemed to be material.
This tension between the need for discreet cooperation with law enforcement
and the obligation to inform investors and the markets creates a dilemma for public companies.
issued its initial cyber guidance, only 106 companies have reported incidents to the S. E.C.
While a proportion of those were private companies, it’s unlikely that public companies suffered only 106 breaches that were material in that time
Law enforcement often encourages, or even demands, that the incident not be disclosed.
Again, it warned public companies to make “timely” disclosure, recognizing the “grave threat”
that cybercrime poses to investors and the capital markets.
Perhaps this dilemma explains why so few public companies report breaches.