(Clarifies that a security breach at Quest Diagnostics potentially exposed employees’ personal information, not patients’.)
It’s getting tougher for some companies to keep quiet about cyberattacks. Securities and Exchange Commission guidelines on when cyberattacks should be disclosed have become de facto rules for at least six companies, including Google (GOOG) and Amazon.com (AMZN), agency letters show. The six were asked to tell investors in future filings that intruders had breached their computer systems, according to the SEC letters sent in March, April, and May. Hacking admissions can hurt reputations, give competitors useful information, and trigger investor litigation.
In January, cyberthieves raided Amazon’s Zappos.com unit, stealing addresses and some credit-card digits from 24 million customers. Amazon initially resisted mentioning the attack in its regulatory filings, even though it had told customers about it, saying Zappos didn’t contribute material revenue to the company. When the SEC persisted, Amazon replied that “we continue to believe that the cyberattack experienced by Zappos is not covered” by the SEC’s guidance on the subject. “However, in light of the staff’s comment, we will revise our disclosure.” Craig Berman, an Amazon spokesman, declined to comment.
Google agreed in May to mention its previously disclosed cyberassault—China-based hackers raided the company’s network—in an earnings report. “We comply with all applicable disclosure rules and regulations,” says Jim Prosser, a Google spokesman. The SEC also prodded American International Group (AIG), Hartford Financial Services Group (HIG), Eastman Chemical (EMN), and Quest Diagnostics (DGX)—all of which have suffered breaches—to improve disclosures, according to letters available on the regulator’s website. “Following a request from the Securities & Exchange Commission, Eastman has enhanced its disclosure reporting regarding cyberthreats and attacks,” says spokesman Brad Belote. Spokesmen for AIG, Hartford, and Quest declined to comment.
The SEC instituted a voluntary disclosure plan in an October advisory. This year the agency has sent companies dozens of letters asking about cybersecurity disclosures and later pushing them to disclose attacks, according to spokesman John Nester. He declined to say how many companies were told to disclose attacks, as the letters aren’t all public yet. “It’s not a rule, but the SEC, by taking a policy position, can effectively create a rule,” says Peter Henning, a former SEC lawyer who teaches at Wayne State University in Detroit. “It lets companies know what it would like to happen.”
The SEC doesn’t have the authority to order companies to spend money on security controls. What it can do is make them report cyber-risks so potential investors are aware of the problems. Under securities law, companies must disclose “material” information, meaning data that might influence investors’ decisions.
Companies may have business reasons for disliking such disclosures, says Michael Perino, a securities law professor at St. John’s University in New York. “If you’re constantly having to disclose actual or potential cyberattacks against the company, that gives information to competitors, to everybody, about the vulnerabilities of the company,” he says.
The SEC can force disclosure without making rules because companies need to stay on good terms with the regulator, which reviews their financial filings and can “make things difficult,” Henning says. Resisting a letter from the agency can be costly, amounting to $250,000 in legal fees, according to Henning. “If it’s complex, your lawyers write drafts in response, you have conference calls with them,” he says. “The SEC knows that’s their power. If you want to litigate with them, it costs millions.”