"Securing cyberspace is one of the most important and urgent challenges of our time." With these words in May 2011, Senator Jay Rockefeller, the Chairman of the Senate Commerce, Science and Transportation Committee, and four other Senators, called upon the Chairman of the Securities and Exchange Commission, Mary Schapiro, to develop and publish interpretive guidance clarifying existing disclosure requirements relating to cybersecurity risk. The Senators' letter stated that a substantial number of companies do not report this risk to investors. The Senators referred to a 2009 study by Hiscox, an insurance underwriter, that 38% of Fortune 500 companies made a "significant oversight" by not mentioning privacy or data security exposures in their public filings.
Chairman Schapiro, in the Commission's first official statement regarding the disclosure of cyber attacks, responded on June 6, 2011. Chairman Schapiro stated that existing disclosure requirements already impose a requirement that reporting companies disclose information regarding cyber security risk. The first requirement cited by the Chairman was Item 503(c) of Regulation S-K—Risk Factors — which requires disclosure of past and future cyber attacks or the effects of a cyber attack. The Chairman continued with her view, stating that the description of a company's business required by Item 101 would require disclosure if a company's trade secrets were compromised in a cyber attack; Item 103 could be implicated if there were pending material litigation relating to a company's customer database being attacked causing a release of personal information; and Item 303—MD&A — could also be implicated if the company's trade secrets were compromised resulting in operating costs and/or losses.
Please see full publication below for more information.