Posted in: Compliance, Special Report
A recent survey from the folks at FireEye and some new action by the Securities and Exchange Commission make a good case for focusing your organization’s attention on IT security in coming months. The FireEye report found malware that can slip through signature-based detection has risen 400% in the past year. Who’s being targeted? The report says financial services, technology, healthcare and energy are the most popular focus of cybercriminals.
And to make the situation more risky — although the SEC has warned publicly traded companies that they have to disclose data breach details and information about security risks — most haven’t complied.
So what’s the SEC to do? It’s getting tougher in demanding disclosures.
The SEC first released guidelines last October detailing publicly traded companies’ obligation to report data breaches in their standard disclosure material. The agency didn’t issue a new rule but rather clarified that cyberattacks fall under the long-standing requirement that businesses report “material” developments that are significant enough that shareholders would reasonably want to know about them.
For example, the SEC said companies should report attacks if they:
- Have a material effect on the organization’s financial condition (if profits are lost, for example)
- Could result in reported financial information no longer being accurate, or
- Require the company to materially increase its security expenditures.
Those guidelines haven’t done much to increase data breach disclosures, as a former FBI agent reported in June that most of the thousands of data breaches being investigated by authorities were never reported to the SEC.
Now, it appears the SEC has increased its efforts to get companies to report breaches — at least six companies have received letters from the agency compelling them to disclose data breach details, Bloomberg reports. Companies receiving letters included:
- Amazon, whose Zappos.com division was hit by a data breach in which criminals stole the addresses and possibly credit card numbers of 24 million customers in January, and
- Google, whose networks were raided in 2010 by China-based hackers attempting to steal source code.
Both companies complied with requests to put details about the breaches in their earnings reports, Bloomberg said. American International Group, Hartford Financial Services Group, Eastman Chemical Co. and Quest Diagnostics have also gotten similar letters from the SEC, according to the news agency.
Though there have been no reports of organizations being penalized, public companies that fail to meet the data breach disclosure requirements could face SEC enforcement actions and lawsuits from shareholders.
FinanceTechNews.com delivers the latest Finance news once a week to the inboxes of over 150,000 Finance professionals.