This week the SEC released a rather specific set of recommendations asking for six major companies to reveal any large-scale breaches in their cyber-security.
Though the SEC’s letter was initially met with some reluctance by Google, Amazon, AIG, HIG, Eastman Chemical Company, and Quest Diagnostics, they all agreed to include any hacking incidents of late in their upcoming 10-Qs. But their acquiescence was not quiet.
Bloomberg reported that both Google and Amazon cited possible market risks in disclosing information that they felt had no major impact on their current investors but which could easily scare off future ones. They also claimed that disclosure could open up the floodgates for potential investor lawsuits regardless of the well-intentioned transparency brought about by voluntary compliance. Their concerns are not without merit; President Obama has acknowledged their dilemma and is currently considering granting legal protection to companies that not only comply with the SEC preferences but upgrade general security measures in order to prevent future attacks.
The SEC, for their part, didn’t technically issue an official rule ordering the companies to disclose hacking-incidents, but their authority is such that any regulatory “guidance” is usually interpreted as regulatory guidelines.  According to former SEC lawyer, Peter Henning, they can “make things difficult,” for dissenters if they are ignored.
