Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SEC Says Public Firms May Need To Disclose Cyberattacks

Soulskill posted more than 2 years ago | from the would-make-for-some-fun-news-days dept.

Businesses 21

Trailrunner7 writes "The Securities and Exchange Commission has issued new guidance to help public companies determine when they may need to disclose an attack — or even a potential attack — in order to make potential investors aware of possible risks to the company's business. The guidance, which does not constitute a rule or requirement for companies to disclose, is meant to help registrants in 'assessing what, if any, disclosures should be provided about cybersecurity matters.'"

cancel ×

21 comments

Does this include banks? (4, Insightful)

John.P.Jones (601028) | more than 2 years ago | (#37718078)

If banks can write off fraud as an undisclosed loss without disclosing the truth I don't see why Sony can't do the same.

Re:Does this include banks? (1)

chill (34294) | more than 2 years ago | (#37718184)

If the bank is a public company, then yes.

Sure (2)

Moheeheeko (1682914) | more than 2 years ago | (#37718084)

Becuase the government totally discloses every time the country is "potentially attacked"

Re:Sure (4, Informative)

chill (34294) | more than 2 years ago | (#37718214)

Potentially attacked means an incident occurred, but you aren't sure if it is a specific, targeted attack or just an incident of random infection.

And yes, they do disclose this on their annual FISMA filings. You will also see the information in the annual Inspector General reports filed with Congress on every agency.

Re:Sure (3, Informative)

citylivin (1250770) | more than 2 years ago | (#37719302)

"Potentially attacked means an incident occurred, but you aren't sure if it is a specific, targeted attack or just an incident of random infection."

I guess you have never looked through your logs, or run an IDS system in your place of work or home. Attacks are literally happening all the time. The amount of people guessing passwords on an ftp, or simply throwing php exploits at your webserver can be tens or hundreds of IP addresses a day.

This is a joke, or else they don't understand the meaning of "potential" attack.

I am all for disclosing when a company or organization gets legitimately hacked. But potential attacks? that would be literally thousands of lines of log files daily, even on a home connection.

Re:Sure (1)

chill (34294) | more than 2 years ago | (#37720584)

The SEC guidance never says â potential attackâ. It talks about making sure companies include potential cyber security incidents as part of their risk assessment.

The rest refers to successful incidents and attacks that result in material financial cost or loss. This was written by the finance guys. They aren't interested in your firewall logs. They wasn't to make sure a company takes this stuff into account when reporting material risk.

Read the actual document.

Gov't Job Making at it's best (1)

Anonymous Coward | more than 2 years ago | (#37718208)

The rules as I read them are so vague that companies are just going to report everything, the signal-to-noise ratio will be über-low, and business will continue as usual.

incident report spam (1)

swan5566 (1771176) | more than 2 years ago | (#37718226)

This seems like something hackers would want try to do. They had better be careful on how they would move forward implementing this.

The real question is... (-1, Offtopic)

dev832 (2485108) | more than 2 years ago | (#37718228)

Do they have to disclose this [evenweb.com] ?

THREATENED cyber incidents?! (1)

Anonymous Coward | more than 2 years ago | (#37718236)

THREATENED cyber incidents?! You have to be f--king joking. We stop hundreds or maybe thousands of these every day. Malicious emails? Yup. Infected web pages? Yup. Firewall probes? Wup. Everybody is constantly at war with this stuff all the time.

So it'll have the same effect as the SEC (2)

DCFusor (1763438) | more than 2 years ago | (#37718258)

None at all.

As it stands... (2)

Synerg1y (2169962) | more than 2 years ago | (#37718410)

Sony only disclosed because PSN went down and people noticed. We don't know if they really disclosed everything or not. It's a little more complicated though, I think that with this being labeled as guidance is a step towards harder regulations on corporate security and consumer standards for privacy when submitting data to a corporation. As it stands it's unregulated and people have taken advantage of it.

Argh (2, Interesting)

Anonymous Coward | more than 2 years ago | (#37718468)

"In order to make potential investors aware of possible risks to the company's business"

Right, they won't do this for CUSTOMERS, but they have a change of opinion when it comes to INVESTORS.

Only If... (0)

Anonymous Coward | more than 2 years ago | (#37718542)

The SEC discloses how much porn they view while financial markets collapse. We must have more transparency with wasted tax dollars.

Anyone remember this story? (2)

TubeSteak (669689) | more than 2 years ago | (#37718584)

http://yro.slashdot.org/story/11/09/09/1843228/New-Legislation-Would-Punish-Mishandling-of-Private-Data [slashdot.org]

I looked at the actual text of the legislation [slashdot.org] and it essentially said that if there's no risk that "sensitive personally identifiable information" was lost, then companies did not have to report the breach.

I'm glad the SEC's rules are much more expansive than the crap ideas our legislators came up with.
I expect to see a lot more disclosures of hacking in the future.

Dear SEC, (4, Interesting)

Medievalist (16032) | more than 2 years ago | (#37718744)

Dear SEC,

We connected our enterprise to the Internet in October 1992. Starting roughly two weeks from that time, we have been under continuous attack from various robots, disgruntled former employees, botnets, viruses, worms, and possibly space aliens. Honestly, we really don't even try to check on the origin of these attacks, we just tarpit them all.

Should you require more detail, we can arrange a real-time feed from our firewall systems, which are currently being attacked roughly every four seconds, just like every other network of our size in the entire world.

Please feel free to attempt to determine the source and purpose of these attacks, since clearly you are no longer interested in monitoring the world's business economy and thus helping ensuring a free and fair marketplace.

Sincerely,
--Any Large Internet-connected Business

Re:Dear SEC, (0)

Anonymous Coward | more than 2 years ago | (#37719940)

Ditto. It isn't about attacks; it is about successful breaches, and more specifically, loss of data (you pick your flavor and consequence).

small steps (1)

Gravis Zero (934156) | more than 2 years ago | (#37719588)

i think requiring them to report breaches with details of just what was compromised would be a lot better than a shitload of logs of port scanners.

Re:small steps (0)

Anonymous Coward | more than 2 years ago | (#37720920)

Now, not only can the fraudsters make $$$ from stealing valuable customer information, they can also make money shorting the company's stock when the company has to report the breach to the public. It's a win/win!

Really SEC? (0)

Anonymous Coward | more than 2 years ago | (#37720118)

Not talking about the merits of companies disclosing cyber attacks, (both sucessful and unsuccessful), but this is the SEC we are talking about.

Remember how a couple years ago a few firms nearly destroyed the entire world's ecnomy?, and how the SEC never actually got around to fixing it?

You can't build high-level regulations, like disclosing cyber attacks, without ground-level regulations that stop what nearly everyone referred to as Econopocalypse, (as in Apocalypse of St. John, as in the END OF THE WORLD). Despite how good of an idea it seems, you can't patch a finger prick before you patch up the dam's giant, flooding, hole..

giubbotti belstaff (0)

Anonymous Coward | more than 2 years ago | (#37720878)

washed neat and fully dry giubbotti belstaff [giubbotti-belstaff.com] holds pesticide oral sprays. While not sealed with plastic bags, specifically in more moist areas. You need to use the old unlined or Covers clean to be able to save. This prevents the leather in a variety of atmosphere conditions, the conventional absorption of moisture.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...