“For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences,” the SEC explained.
David Navetta, a founding partner of the Information Law Group, and Nicole Friess, an associate at the law firm, wrote in their blog, “SEC Issues Guidance Concerning Cyber Security Incident Disclosure,” not to expect a wave of new public security breach disclosures from listed companies as a result of the SEC guidance. “While cyber security risk has always been a potential financial disclosure issue, and something that directors and officers need to take into account, the SEC guidance really highlights the issue and brings it to the fore. Even so, materiality is still going to a big issue, and not every breach will need to be reported as many/most will not likely involve the potential for a material impact to a company,” they wrote.
“It’s not as if companies are not already expected to report a breach that is material to earnings, such as Heartland, TJX, and many others have in the past. What the SEC has done is underline that IT security risks to materiality are no different than any other types of risks and need to be considered as such,” he says.
While we may not see a wave of new breach disclosures, Navetta and Friess estimate that many firms are not as prepared internally as they need to be in order to determine the potential impact of IT security breaches.
http://www.csoonline.com/article/691951/new-sec-security-breach-rules-no-big-game-changer-experts-say?source=CSONLE_nlt_update_2011-10-20