Companies Worry About SEC's Advice to Disclose Cyberthreats
January 26, 2012 (San Jose Mercury News, Calif.) Deluged by cyberattacks they've mostly hidden from the public, companies in Silicon Valley and elsewhere are being prodded by federal regulators to finally fess up to this fast-growing threat to their businesses and their customers.
Corporate hacking costs companies and consumers billions of dollars a year, experts say, and has ensnared corporations ranging from online shoe retailer Zappos.com to valley tech giant Google (GOOG). But before these new rules from the Securities and Exchange Commission, the full extent of the problem has been unknown, since big businesses are loath to provide many if any details, fearing embarrassment and concerned about adding to the harm.
But there are indications corporate hacking is widespread. One study found that nearly 40 percent of Fortune 500 companies fail to disclose cyberattacks and privacy breaches in their public filings.
Donald Vieira, a former Justice Department security expert who advises corporations about cyberthreats, called the directive "a wake-up call for a lot of companies to sit back and look at what they are doing."
But some security experts say publicly traded corporations are being placed in a Catch-22 by the SEC. Under the SEC guidelines, these experts say, companies could be sued by shareholders for not revealing enough about their susceptibility to cyberthreats if the businesses later suffer losses. Yet disclosing too much, they add, might give hackers a detailed blueprint to steal their technology or other secrets.
"Everywhere I go, this is a top area of discussion, and lawyers and companies are really wrestling with it," said John Reed Stark, former chief of the SEC's Office of Internet Enforcement who now works for digital risk-management firm Stroz Friedberg. "This is a very new area."
The "guidance" the SEC issued in October advises firms to make a variety of revelations if they are hacked. These include detailing whether the attack caused a loss of intellectual property, sparked lawsuits against the company, damaged its sales, harmed its customers or suppliers or prompted it to "materially increase its cybersecurity protection expenditures."
Even if firms aren't attacked, the SEC urged them to describe the cyberrisks they face, including the "consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption." Since companies typically file quarterly reports with the SEC, disclosure of cyberattacks will likely start occurring in coming months.
SEC representative Florence Harmon declined to comment on what might happen to firms that ignore the guidance. But some experts believe it could trigger fines or other punitive action, depending on the circumstances.
The SEC published the notice after five U.S. senators, including Jay Rockefeller, D-W.Va., chairman of the Commerce, Science and Transportation Committee, complained to the agency in May that "the lack of quality, public information in these matters enables an inefficient marketplace that devalues security and impairs investor decision-making."
As evidence, the lawmakers cited a 2009 insurance underwriters' report that found "38 percent of Fortune 500 companies made a 'significant oversight' by not mentioning privacy or data security exposures in their public filings."
Other studies have reached similar conclusions.
Finding that one attack had compromised more than 70 businesses and governmental entities, Intel's (INTC) security division McAfee reported in August that public understanding of the problem is minimal, in part "due to the very limited number of voluntary disclosures by victims."
Given the frequency of attacks, it added, "every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly)."
A separate McAfee study in April found that hackers had infiltrated 85 percent of the 200 energy and related industries it surveyed. And in October, Symantec reported that another cyberattack had hit 48 chemical, defense and other companies, including Fortune 100 firms.
Some companies have disclosed problems even before the SEC rules took effect. Those that have include Intel, Google, Sony, aeronautics giant Lockheed Martin and consulting firm Booz Allen Hamilton. And just this year Amazon's online apparel retailer Zappos revealed it had been hacked.
But "many companies are unaware when their sensitive data is pilfered, and those that find out are often reluctant to report the loss, fearing potential damage to their reputation with investors, customers and employees," concluded a recent report to Congress by the federal Office of the National Counterintelligence Executive.
Alan Pallor of the SANS Institute, a computer-security education organization, said he also knows of businesses that have concealed cyberthefts "because they are embarrassed" and he finds that worrisome. "When people hide the attack, they lower the perceived risk," which reduces the urgency of others to guard their data, he said.
Unfortunately, many companies aren't adequately protected, according to a survey this year by PricewaterhouseCoopers and two magazines that cater to corporate computer specialists. Of more than 9,600 executives queried, just 16 percent said their security policies addressed the most sophisticated cyberattacks, known as advanced persistent threats. Moreover, it found the executives' confidence about their computer defenses has slipped since 2006.
Roland Trope, a security expert and adjunct professor at West Point, said companies are in a tough spot. While they must try to plug every vulnerability, hackers only need to find one weakness to steal data. And unless executives lock their secrets in a vault with no link to the Internet, cyberthreats are likely to intensify, he said, "because the advantage is with the attackers."
Share this article: >