Public companies are required to disclose significant risks to investors, and to execute due care in discovering and evaluating those risks.
This is simply guidance to when "computer security issues" should be among those risks.
So for instance, in NFLX's 10-K, you'll find:
IF THE POPULARITY OF THE DVD FORMAT CONTINUES TO SLOW OR IF THE RETAIL SALES PRICES OF DVDS DECLINE, OUR BUSINESS COULD BE ADVERSELY AFFECTED
Although the growth of DVD sales continues to slow, we believe that the DVD will continue to be a valuable consumer proposition and studio profit center for the next several years. As DVD sales begin to decline, studios and other resellers may significantly lower prices to encourage consumers to continue to utilize the format. Unless we are successful at retaining our subscribers with our streaming offerings, a decline in the popularity of the DVD as indicated by declining sales or a reduction in price leading to consumers purchasing instead of using our service, could result in our business could be adversely affected.
The SEC is suggesting circumstances in which they'd expect similar language surrounding information security.
Reuters [1] and Venturebeat [2] have reports. Here is a key passage:
The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.
I'm not an investor, but I read that to indicate that if the attack has an impact on the business that would affect a reasonable investor's decision with regards to whether to buy, sell or hold stock in the company, it needs to be disclosed
