I've given Gartner grief for their "IDS is dead" message, but I just read a short document they produced on security reporting requirements:
"On 9 October 2003, U.S. Homeland Security Secretary Tom Ridge stated that the U.S. government may require publicly traded companies to disclose details of their information security readiness to the Securities and Exchange Commission (SEC). The Department of Homeland Security plans to work with the SEC to develop requirements for the inclusion of security information in financial reporting; the U.S. Congress is preparing draft legislation with the same objective....
Boards of directors, CEOs and CFOs should assume that information security reporting will be required no later than the end of 2005 and assign responsibilities and establish reporting procedures. Chief information officers of public companies should assess their security reporting and metrics programs by the second half of 2004, to ensure their ability to issue IT security readiness reports when the expected legislation is enacted."
This is big news for the security industry, who has gained some new work from HIPAA and GLB regulations. If all publicly traded companies have to provide this reporting, we might all be very busy soon.