Editor’s Note: For informtion about the SEC’s requirement tht US-registered companies publicly report cyber-attacks, see FISMA Focus here.

From: Finanical Times

By James Blitz, Defence and Diplomatic Editor

Companies are being urged by the government to declare publicly when they  have suffered serious cyber attacks, as Whitehall is concerned that businesses  are too reticent about such incidents for fear of losing competitiveness.

As the government unveiled details of its strategy to protect the public and  private sectors from cyber threats, senior officials said that investors and  shareholders must encourage company boards to go public when systems have been  attacked or intellectual property lost.

Companies are being urged by the government to declare publicly when they  have suffered serious cyber attacks, as Whitehall is concerned that businesses  are too reticent about such incidents for fear of losing competitiveness.

As the government unveiled details of its strategy to protect the public and  private sectors from cyber threats, senior officials said that investors and  shareholders must encourage company boards to go public when systems have been  attacked or intellectual property lost.

Over the past year, the government has piloted an initiative to share  information with industry about the cyber threat. The scheme involves 160  companies across the defence, finance, pharmaceuticals, energy and  telecommunications sectors.

However, officials believe that companies need to talk publicly about the  damage they have suffered from cyber  espionage and crime if internet security standards across the private sector  to be raised.

“The government would like to see more disclosure [by companies]  because . . . that is helpful in putting out a sense of how much of this is  going on, and giving companies something to benchmark themselves against,” said  a senior Whitehall official. “If shareholders, analysts, institutions, insurers,  get interested in that, too, that all helps the market dynamic, to drive up  standards.”

Ministers do not want to make it compulsory for companies to disclose whether  they have faced a damaging cyber attack. They fear this would merely create “perverse incentives” for those companies to turn a blind eye to the problem and  not go looking for breaches of internet systems.

“We think it’s better to encourage investors, shareholders and insurers to  ask for that information,” a senior Whitehall official said. “But we need to  make it easier for those people to do that.”

The 2012 PwC information security breaches survey found that 93 per cent of  large corporations and 76 per cent of small businesses had suffered a cybersecurity  breach in the past year.

However, few companies go public about such attacks. Jonathan Evans, the  director-general of MI5, said this year that a state-sponsored cyber attack  against the computer systems of a large listed British company cost it £800m in  lost potential revenues. He did not identify which company was involved.

To tackle this issue, Francis Maude, the minister for the Cabinet Office who  is charged with developing the UK’s cybersecurity strategy, spelt out how the  government wants the market to identify and reward good practice.

He said the government wants to work with a range of bodies – such as the  Institute of Chartered Secretaries and Administrators, the Audit Committee  Institute, the Association of General Counsel, Company Secretaries of the FTSE  100, and the International Corporate Governance Network – to establish  cybersecurity as a serious business risk.

“These organisations are in a unique position to influence board room  behaviour,” he said. “We will work with them and other risk and audit  professionals to ensure the message is getting through.”

Unveiling the latest details of its cyber security strategy, the government  also said that the Ministry of Defence will recruit a force of “cyber  reservists’’ to bolster Britain’s online defences.

All three military services will bring in additional experts to support their  work preventing cyber attacks. Details of the cyber reserve force will be  announced by ministers next year.