UPDATE 2-SEC asks companies to disclose cyber attacks

Thu Oct 13, 2011 9:10pm EDT

* Lays out examples of things companies might disclose

* Calls for reports of attacks, remediation steps

By Jim Finkle and Sarah N. Lynch

BOSTON/WASHINGTON, Oct 13 (Reuters) - U.S. securities regulators formally asked public companies for the first time to disclose cyber attacks against them, following a rash of high-profile Internet crimes.

The Securities and Exchange Commission issued guidelines on Thursday that laid out the kind of information companies should disclose, such as cyber events that could lead to financial losses.

Senator John Rockefeller had asked the SEC to issue guidelines amid concern that it was becoming hard for investors to assess security risks if companies failed to mention data breaches in their public filings.

"Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything," Rockefeller said in a statement.

"It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it," Rockefeller said in a statement.

There is a growing sense of urgency about cyber security following breaches at Google Inc , Lockheed Martin Corp , the Pentagon's No. 1 supplier, Citigroup , the International Monetary Fund and others.

Tom Kellermann, chief technology officer of security firm AirPatrol Corp, said that the SEC guidance tells companies to report cyber attacks and disclose steps to remediate problems.

"They must also incorporate cyber events into their material risk reports," said Kellermann, who has advised U.S. President Obama on cyber policy.

The SEC gets into specifics, telling companies what type of data they might need to provide investors.

"Examples of estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue," it says.

(The document can be accessed on the SEC's website: www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm )

A report out earlier this month found that U.S. banks are losing ground in the battle to combat credit and debit card fraud because they balk at the expense of higher security. Globally, however, security is improving in the payment industry, according to data from The Nilson Report, a California trade publication.

There is some hope of U.S. legislation to address the problem, although the House of Representatives appears more interested in tackling it piecemeal while the Senate is opting for a more far-reaching approach.

Most of the concern has been focused on critical facilities like nuclear power, electricity, chemical and water treatment plants.