How many publicly traded companies need to improve their cybersecurity? How much danger are those companies in of actually being hacked? The U.S. Securities and Exchange Commission wants you to have a better idea, especially if you’re a shareholder of one or more of the companies.
Late last week, the SEC introduced a new set of guidelines that, while not making it legally necessary for companies to disclose their online vulnerabilities, does make it easier for shareholders to launch legal action against those companies for withholding the information.
While the SEC is not suggesting that vulnerabilities be disclosed in detail, just the suggestion that disclosure may be necessary—and that the decision as to whether it is necessary or not lies with the corporations in question—opens the door to legal challenges, according to analyst Christopher Wolf:
“This SEC Guidance is likely to result in public corporations engaging is a substantial and detailed assessment of their cybersecurity risks to determine if public disclosure is required, and may lead to a litigation trend of plaintiffs suing corporation following a data security breach, alleging that the risks of such a breach were not properly assessed or disclosed.”
The guidelines were issued following a call from Senator Jay Rockefeller, who asked for such a move back in May. In a statement, he wrote:
“For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them. Intellectual property worth billions of dollars has been stolen by cybercriminals, and investors have been kept completely in the dark. This guidance changes everything.”
He’s not wrong that cyber risks tended to go unreported; a report from McAfee earlier this year suggested that only 10% of companies reported all their breaches. As to whether this will change everything? Well, let’s wait and see how many lawsuits roll in as a result.
Graeme McMillan is a reporter at TIME. Find him on Twitter at @Graemem or on Facebook at Facebook/Graeme.McMillan. You can also continue the discussion on TIME’s Facebook page and on Twitter at @TIME.