Raj J. Patel reports:
Despite the increase in cyberattacks, the Securities and Exchange Commission (SEC) has yet to publish guidelines as to when a corporation should publicly disclose the data loss, system disruption, or other damages caused by a cyber incident — even where the incident caused financial losses. Some companies have included standard warnings in financial filings that they’re subject to computer viruses, electronic break-ins, and denial-of-service attacks, just as they’re exposed to risks of hurricanes and tornadoes. Other companies don’t explicitly report financial losses from data security breaches in their quarterly and annual reporting and may be at risk from expensive shareholder lawsuits alleging the failure to take reasonable steps to protect their cyber infrastructure.
Many financial institutions are taking note of this, and at least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of cyberattacks last year. In their annual financial reports to the SEC, major banks such as Bank of America, Citi, Wells Fargo and JPMorgan Chase, along with smaller institutions, have reported that their systems were hit with computer disruptions or intrusions. SEC officials said it was crucial for investors to know not just what a company’s risk is but when that risk has become reality.
Read more on Crain’s Business Detroit. What I particularly appreciate about this article is that Patel makes the same suggestion I’ve often made about having a number people can call to report a breach:
Cyberattacks are inevitable, but not implementing an effective incident response process and team is negligent. And so I ask, do you have a 1-800 hotline to report data breaches?