The SEC staff is interested in knowing the origin of cyber attacks, including whether the intruder is a competitor, foreign government or hacker group, Mark Kronforst, the SEC’s associate director for disclosure operations, said at a panel discussion in Washington April 5. The staff also wants to know when an attack isn’t discovered by the company and found by a third party.
The SEC staff hasn’t asked those questions in correspondence with public companies, Lona Nallengara, the SEC’s corporation finance director, said in an interview after the panel discussion.
“If you’re an investor and you want to see the company you are investing in is adequately protected against cyber attack, you’d want to know did their systems detect it?” Nallengara said. “Did they know they got breached? Or did they find out a month later when someone told them that we found records this came from your company?”
Information about the source of an attack could yield insight into whether it’s material to investors, Nallengara said. “Is it a competitor? Someone seeking your proprietary information or your technology. Or on the contrary, is it someone simply out to destroy or simply not motivated by financial gain?”
Disclosure about specific attacks “is still fairly rare at this point,” Kronforst said on the panel discussion.