SEC officials said it was crucial for investors to know not just what a company’s risk is but when that risk has become reality. “You now have companies making affirmative statements that they have been subject to attack,” said Lona Nallengara, head of the SEC’s Division of Corporation Finance. “We think that’s a good thing.”
In the past two years, companies have included standard warnings in financial filings that they are subject to computer viruses, electronic break-ins and denial-of-service attacks, just as they are exposed to risks of hurricanes and tornadoes. But now, Nallengara said, a growing number of companies are “stopping before they put in that boilerplate language, and thinking, ‘Has it occurred to us?’ ”
Special Report: Zero Day - The Threat in Cyberspace
Doctors in Boston say BBs and nails from the bomb wreaked havoc, with many victims losing legs.
Obama says “we’re going to need Congress as a partner” to help protect Americans serving overseas.
Assistant Defense Secretary Michael Sheehan testifies to Congress that war with al-Qaeda could last 20 years
But one bank official, speaking on the condition of anonymity, said that his bank would rather disclose to “our partners and the government, and not to the world at large.” He said, “Every time we give detail on what we know about the threats, we’re sharing that with those who might be looking to target us.”
Though companies are more upfront about incidents, they generally assert that the impact is limited. In the report Citi filed Friday, it acknowledged it had suffered DDOS attacks last year “intended to disrupt consumer online banking” but said that its monitoring services were able to respond to these incidents “before they became significant.” It also disclosed it had been affected by data breaches and hacking attempts. The incidents “resulted in certain limited losses in some instances as well as increases in expenditures to monitor against the threat of similar future cyber incidents.”
In some cases, the SEC has nudged firms to report. Last year, for example, Citi reported it had suffered data breaches in 2011. The disclosure came after Citi was among 50 or so companies that received SEC letters in 2011 asking them to explain why certain intrusions or disruptions had not been revealed to investors. In Citi’s case, the Connecticut attorney general and federal authorities, including the Secret Service and FBI, were conducting investigations of how the breach occurred.
Jacob Olcott, a cybersecurity expert with Good Harbor Security Risk Management, said the increased transparency is “an absolutely critical step.” But he added that the public needs more analysis and disclosure of the financial impacts of theft of trade secrets and intellectual property and of disruptions caused by DDOS assaults.
“This is the market solution to cybersecurity,” said Olcott, who as a staff member of the Senate Commerce Committee in 2011 advocated stronger SEC guidance on cybersecurity disclosure. “It’s getting investors aware of the issue. And it’s getting senior executives to manage cyber-risk the same way they would manage other business risks.”