

SEC issues guidance telling public companies when to disclose cyber attacks - hornokplease
http://sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

======
etherealG
anyone care to turn this into layman's terms?

~~~
tptacek
Public companies are required to disclose significant risks to investors, and
to execute due care in discovering and evaluating those risks.

This is simply guidance to when "computer security issues" should be among
those risks.

So for instance, in NFLX's 10-K, you'll find:

IF THE POPULARITY OF THE DVD FORMAT CONTINUES TO SLOW OR IF THE RETAIL SALES
PRICES OF DVDS DECLINE, OUR BUSINESS COULD BE ADVERSELY AFFECTED

 _Although the growth of DVD sales continues to slow, we believe that the DVD
will continue to be a valuable consumer proposition and studio profit center
for the next several years. As DVD sales begin to decline, studios and other
resellers may significantly lower prices to encourage consumers to continue to
utilize the format. Unless we are successful at retaining our subscribers with
our streaming offerings, a decline in the popularity of the DVD as indicated
by declining sales or a reduction in price leading to consumers purchasing
instead of using our service, could result in our business could be adversely
affected._

The SEC is suggesting circumstances in which they'd expect similar language
surrounding information security.

