After a rash of cyber attacks on major companies, the SEC has decided companies must tell investors how and when they've been attacked, and how they're handling it. The new guidelines come after a summer in which huge companies like Sony and Citigroup both suffered huge losses at the hands of hackers: a million PSN passwords in Sony's case, and 360,000 credit card accounts in Citigroup's. Both companies admitted they were attacked, but were vague about exactly which customers were affected, and what they were doing in response. The SEC's new guidelines don't allow for that vagueness: when a company is the victim of a cyber attack, it now needs to disclose that it was attacked, what happened, who was affected, how it's fixing it, and how it's preventing another attack from happening. Most importantly to investors, it needs to disclose how much all of that is going to cost. Though none of this will prevent future attacks, it's a nice bit of added transparency for consumers and investors in our increasingly web-based world.
New SEC guidelines require companies to disclose cyber attacks
is editor-at-large and Vergecast co-host with over a decade of experience covering consumer tech. Previously, at Protocol, The Wall Street Journal, and Wired.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
