Companies that are publicly traded have to follow a boatload of rules, many of them enforced by the Securities and Exchange Commission (SEC). But it seems that at least a few of the SEC’s mandates — especially those that govern what a company does when their electronic data’s been compromised — are routinely being ignored. The reason: It may be just basic unfamiliarity with the regulations. But that would mean that Finance didn’t know how to do its job — an unlikely circumstance in most organizations.

It’s more likely, say experts,  that most companies don’t disclose even very successful hacking attacks, because they never find out about them or just don’t want to spook investors, customers or business partners.

Whatever the reason, the problem’s widespread and, if not checked, could lead to fines and other penalties an organization would rather avoid. And it’s likely up to finance to make sure that doesn’t happen, because in most organizations these days, IT reports to finance, which (with the help of legal) contends with the SEC.

Despite recent guidance from the federal government explaining when publicly traded companies must disclose details about information security incidents, many companies are failing to do so, according to a new report.

Last October, the Securities and Exchange Commission (SEC) issued the  guidance, detailing how and when affected companies need to report data breaches.

However, the majority of businesses still aren’t reporting those incidents, according to a recent investigation by Reuters.

The news organization looked at more than 2,000 filings since the SEC’s guidelines were issued. Though some companies had included new information about cybersecurity risks and incidents, many firms that are known to have suffered breaches did not report them.

For example, defense contractor Lockheed Martin suffered an attack last May, but did not include any information about the breach — or about cybersecurity risk in general — in its most recent 10-Q quarterly filing, Reuters reports.

The SEC’s guidelines, which clarified existing rules rather than creating new ones, says information about some security attacks and the significant risk of future incidents should be included in companies’ standard disclosure material. Companies should report attacks if they:

1. Have a material effect on the organization’s financial condition (if profits are lost, for example)
2. Could result in reported financial information no longer being accurate, or
3. Require the company to materially increase its security expenditures.

Tags: data breach, disclosure, Reuters, rules, SEC