Cyberspies and criminals steal what is estimated to be tens of billions of dollars worth of data from U.S. companies each year. Yet experts say few companies report these losses to shareholders.
Now the Securities and Exchange Commission is pressing for more disclosure, issuing new guidelines this week that make clear that publicly traded companies must report significant instances of cybertheft or attack, or even when they are at material risk of such an event.
“Investors have been kept completely in the dark,” said Sen. John D. Rockefeller IV (D-W.Va.), chairman of the Senate commerce committee, which urged the SEC to take the action. “This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure.”
The SEC guidance clarifies a long-standing requirement that companies report “material” developments, or matters significant enough that an investor would want to know about them. The guidance spells out that cyberattacks are no exception.
For example, the SEC says, a company probably will need to report on costs and consequences of material intrusions in which customer data are compromised. The company’s revenue could suffer, and it could be forced to spend money to beef up security or fight lawsuits. In addition, if a company is vulnerable to cyberattack, investors may need to be informed of the risk, the SEC said.
The move is a significant step toward transparency in an opaque area of corporate security and should spur greater awareness that protecting computer networks is crucial to a company’s bottom line, experts said. Combating espionage against corporate America by hackers in China and other countries is a matter of national and economic security, U.S. officials have said, and they say understanding the scope of the problem is key to fashioning an effective response.
“It’ll force executives to really understand what’s going on within their corporations,” said Melissa Hathaway, a former White House cyber coordinator who has long advocated the SEC strengthen its guidance. “I think it will create the demand curve for cybersecurity.”
But the SEC is pushing against a corporate culture predisposed to secrecy. “It’s very unlikely companies are going to belly up to the bar and run around and start reporting this all of sudden,” said Jody Westby, chief executive of Global Cyber Risk, a consulting firm.
Westby said she advised a Fortune 100 company that had suffered a major breach in 2008 that the company report it to the SEC. “They just laughed and said, ‘We don’t agree,’ ” she recalled. “Companies involved in breaches are very reluctant to reveal what happened, and much less tell the SEC what happened. Why? Because of a fear of reputational damage.”
Experts said this is why the guidance is necessary — to underscore that disclosure of material breaches is mandatory.
But Larry Ponemon, chairman of the Ponemon Institute, a research group in Traverse City, Mich., said reporting on potential risk is almost meaningless because virtually every firm is at risk and “almost every major organization” has suffered a breach. He predicted that companies still will provide only minimal disclosure.
Some companies may want to disclose a hacking incident but do not have the expertise to assess the damage, said John Reed Stark, a former SEC official and now a security consultant with Stroz Friedberg. “Yet the SEC has clearly launched a shot across the bow,” he said. He urged the SEC to allow companies some latitude. “Otherwise the result will be chaos and confusion,” he said.
Companies that fail to make disclosures could face various consequences, said David B.H. Martin, co-head of the securities practice at Covington & Burling. They could be sued by shareholders or subjected to SEC enforcement actions. Regulators also could send them letters calling on them to improve their disclosures.
Calculating the costs of cybertheft, whether for criminal or espionage purposes, is difficult. The Ponemon Institute has found the average cost of a breach to be between $5 million and $8 million. But it took nine months to assess the impact on 50 companies, Larry Ponemon said.
Scott Borg, an economist with the nonprofit U.S. Cyber Consequences Unit, said companies often do not know the value or extent of data loss. Using data from the U.S. Bureau of Economic Analysis, he has estimated the annual loss to cybertheft at $6 billion to $20 billion.
One of the few companies to report a compromise to the SEC was Intel, which did so in January 2010 — shortly after Google’s disclosure that it had been hacked by attackers in China who stole valuable source code. Alan Paller of the SANS Institute has said Google was among more than 80 companies hit by the same malware.
Intel spokesman Chuck Mulloy this year said that “nothing of any value was taken that we can tell,” though he added, “We can’t say that with absolute certainty.”
“You don’t want to disclose confidential or proprietary information,” Mulloy said. “But to the extent you can disclose and be as forthright as you can, it’s simply good corporate governance.”