Under new guidelines issued by the Securities and Exchange Commission Thursday, public companies are supposed to report cyber attacks that could potentially lead to unexpected losses. Companies will have to disclose intellectual property that is stolen in a breach and the cost of fixing security flaws. If you've been looking for something to help tie the need for security investment to the bottom line, this may be it.

The new guidance, which goes into effect next year, expands the information that companies may have to disclose when a network is hacked or data is stolen if it could affect investors' decisions. If a network is hit with malware and customer data is exposed, for example, the company "may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences," the SEC said. Companies may also have to disclose "threatened cyber incidents to place the discussion of cybersecurity risks in context."

The SEC beefed up the disclosure guidelines after lawmakers called for clearer rules in the wake of massive hacks earlier this year into corporate networks, including Citigroup, Lockheed Martin, Sony and other major corporations. Sen. John Rockefeller, D-W.Va., who was vocal in calling for the update, was quoted saying that the new "guidance changes everything."

I'm not sure it changes everything. The guidance is somewhat vague, filled with a lot of phrases like "may need to," "may have to" and "should," leaving room for interpretation. It is very clear, however, on the point that the guidance "is not a rule, regulation, or statement of the Securities and Exchange Commission." What's more, the SEC "has neither approved nor disapproved its content." It seems that there may be enough ambiguity in this guidance to let a lot of security breaches fall through the disclosure cracks.

Nonetheless, the hope of the new guidance is that it "will allow the market to evaluate companies in part based on their ability to keep their networks secure," Rockefeller said. "We want an informed market and informed consumers, and this is how we do it."

There are CEOs--perhaps most?--who would prefer to preserve an uninformed market and uninformed consumers when it comes to security breaches, and that is understandable to a certain extent. Security is expensive, and it has been next to impossible to demonstrate its contribution to the bottom line. The new guidance out of the SEC may make that demonstration a bit easier.

Ultimately, someone has to pay for security breaches, and forcing that burden onto consumers and investors isn't a sustainable strategy. If corporations don't get serious about security, in the long term we're all breached. - Caron