The 13 October 2011 SEC guidance, CF Disclosure Guidance: Topic No. 2: Cybersecurity, leaves most of the decision of what sort of breaches are significant enough to disclose up to the affected organizations. But look at this:

During and After a Cyber Incident

Registrants may seek to mitigate damages from a cyber incident by providing customers with incentives to maintain the business relationship.

Hm, incentives like showing an improved reputational risk ranking?

Perhaps in order to prevent this sort of thing?

Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.

The SEC is still missing at least one connection between dots:

Prior to a Cyber Incident

Registrants may incur substantial costs to prevent cyber incidents. Accounting for the capitalization of these costs is addressed by Accounting Standards Codification (ASC) 350-40, Internal-Use Software, to the extent that such costs are related to internal use software.

Sure, infosec costs money. But if infosec actually prevents loss of customer goodwill, infosec could attract and retain customers, so infosec could be a source of profit. If anybody knows about it, that is.

-jsq