The Securities and Exchange Commission (SEC) has issued guidelines to publicly traded companies about what they’re obligated to disclose when hit by a cybersecurity breach. Particularly, the SEC expects companies to disclose “ the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. ” Disclosure would be required of substantial costs for remediation, increased cybersecurity protections, lost revenues, litigation or reputational damage associated with cyber incidents involving theft of intellectual property, other proprietary or financial information or disruption of operations. Additionally, disclosure may be required of material information related to cybersecurity risks, severity and frequency of prior cyber incidents, probability of cyber incidents and adequacy of preventative actions against threatened attacks.

The guidelines clarify that, “While registrants should provide disclosure tailored to their particular circumstances and avoid generic “boilerplate” disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity. Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.” This reporting requirement will shed more light on how publicly traded companies’ are dealing with cybersecurity, and will add more pressure to investor-owned utilities already grappling with cybersecurity threats to the smart grid. Pike Research estimated that utility companies worldwide are likely to spend $21 billion by 2015 to improve cybersecurity for smart grid. Meanwhile, the U.S. energy sector awaits national, interoperable security standards to support the modernization of the grid, leading to heightened concerns about grid security and its impacts.

Earlier this year, Sen. Rockefeller, Chair of the Senate Commerce Committee, sent a letter to SEC Chairwoman Mary Schapiro calling on the Commission to clarify corporate disclosure requirements for cybersecurity breaches so that the American public can learn more about when hackers make efforts to penetrate companies’ computer systems. Sen. Rockefeller applauded the SEC action in press release saying, “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it. I asked the SEC about this because these companies are required under law to report these incidents.”
 

Chairman Rockefeller is a lead sponsor of comprehensive legislation to create a comprehensive framework for enhancing the Nation’s cybersecurity posture, including a provision for a greater federal role in protecting the electric system from cyberattack. The prospects for action on cybersecurity legislation this year is considered dim. In the absence of Congressional action, increased SEC reporting requirements may be one way to “incentivize” such efforts.