Securities and Exchange Commission guidelines on when companies should disclose cyber-attacks have become de facto rules for at least six companies, including Google Inc. and Amazon.com Inc., agency letters show.
The six companies were asked to break silence and tell investors in future filings that intruders had breached their computer systems, according to the SEC letters. Companies such as Amazon argued that the attacks weren’t important enough to reveal. Hacking admissions can hurt reputations, give competitors useful information and trigger investor litigation.
Before the requests, Seattle-based Amazon, the largest Internet retailer, hadn’t said in its reports that cyber-thieves had raided its Zappos.com unit, stealing addresses and some credit card digits from 24 million customers in January. In April, Amazon was asked by the SEC to disclose the cyber-raid in its next quarterly filing, which it did.
Google, the world’s biggest search engine, agreed in May to put its previously disclosed cyber-assault in an earnings report. American International Group Inc., Hartford Financial Services Group Inc., Eastman Chemical Co. and Quest Diagnostics Inc. were also prodded to improve disclosures of cyber-risks, according to SEC letters available on the regulator’s website.
The U.S. Congress, reviewing a bill designed to boost defenses against computer attacks, has been debating ways to encourage companies to disclose such hacking, including a voluntary system for reporting.
The SEC instituted a voluntary disclosure plan in an October advisory. This year, the SEC sent dozens of letters to some companies, asking about cyber-security disclosures and later pushing companies to disclose, spokesman John Nester said.
“It’s not a rule, but the SEC, by taking a policy position, can effectively create a rule,” said Peter Henning, a former SEC lawyer who teaches at Wayne State University in Detroit. “It lets companies know what it would like to happen.”
Nester declined to say how many companies had been told to disclose in future filings. The SEC disclosure letters aren’t all public yet.
Cyber-attacks on U.S. computer networks rose 17-fold from 2009 to 2011, according to data cited by General Keith Alexander, head of the National Security Agency and U.S. Cyber Command, at a July conference.
Businesses spend $10 billion a year globally to fight cyber-crime with firewalls, detection systems and software maintenance, while cyber-thieves steal hundreds of millions of dollars from online banking accounts, according to a study by university experts recruited by the U.K. Ministry of Defense, “Measuring the Cost of Cybercrime,” presented in June.
The SEC doesn’t have the authority to order companies to spend money on security controls to try to fend off attackers. It can make them report cyber-risks to investors who buy stocks or make loans. To attract capital, companies might then have to take steps to reduce the risks, Democratic U.S. Senator John D. Rockefeller IV, said in a May 2011 letter to SEC Chairman Mary Schapiro.
Rockefeller, Chairman of the Senate Commerce Committee, asked the SEC to issue guidance on disclosing cyber-risks and network breaches. It did so five months later, telling companies to acknowledge any breaches or malware in the risk section of their earnings reports.
Companies may have legitimate business reasons for disliking such disclosures, said Michael Perino, a securities law professor at St. John’s University in New York.
“If you’re constantly having to disclose actual or potential cyber-attacks against the company, that gives information to competitors, to everybody about the vulnerabilities of the company,” Perino said. “There’s also the possibility for SEC action and investor lawsuits.”
A cyber-security bill proposed by Connecticut Senator Joe Lieberman, an independent, would have given companies limited protection from lawsuits if they followed reasonable standards in guarding critical networks. President Barack Obama is considering executive-branch action after Congress failed to pass the legislation, said John Brennan, Obama’s counterterrorism adviser, this month at an event at the Council on Foreign Relations in Washington.
While Amazon’s e-commerce business might not have qualified as critical under the legislation, following safety measures set under a government program would have helped reduce liability, said Stewart Baker, partner at the Steptoe & Johnson LLP law firm and a former Department of Homeland Security assistant secretary for policy.
“Courts might decide you’re complying with widely accepted standards,” he said. “Courts are otherwise more likely to find you acted unreasonably.”
Lawsuits against Zappos allege violations of industry standards, including those for firewalls and encryption. Amazon and Zappos, working since March to get nine would-be group suits merged into one and moved to federal court in Nevada, haven’t yet responded to customers’ allegations.
The SEC doesn’t offer protection from lawsuits when it forces disclosure. Under securities law, companies must disclose “material” information, meaning data that might influence investors’ decisions to buy or sell a company’s securities. Even if a cyber-attack didn’t affect revenue or profit much, it would illuminate cyber-risks that a business faces, the SEC said in October.
“In future filings please expand this risk factor to disclose that you have experienced cyber-attacks and breaches,” SEC Accounting Branch Chief William H. Thompson wrote to Amazon Worldwide Controller Shelley Reynolds on April 18.
Amazon, first sued in March by Zappos customers seeking damages for stolen account information, initially resisted putting the attack in its description of cyber-risks, saying Zappos didn’t contribute material revenue. When the SEC persisted, Amazon said, “We continue to believe that the cyber-attack experienced by Zappos is not covered” by the SEC’s guidance on the subject. “However, in light of the staff’s comment, we will revise our disclosure.”
Amazon in July disclosed more than one breach at unnamed subsidiaries, saying, “although they did not have a material adverse effect on our operating results, there can be no assurance of a similar result in the future.”
Insurer Hartford also told the SEC it hadn’t had a “material” cyber-breach and was told to disclose any attack it had. AIG agreed to say in its next quarterly report: “Like other global companies, we have, from time to time, experienced threats to our data and systems, including malware and computer virus attacks, unauthorized access, systems failures and disruptions.”
Craig Berman, an Amazon spokesman, wouldn’t comment on why the company didn’t want to mention the Zappos attack in an SEC filing, given that it had alerted customers to it in January. James Ankner, an AIG spokesman, declined to comment on the company’s correspondence with the SEC. Hartford spokesman Thomas Hambrick said the company had no immediate comment.
The SEC can force disclosure without making rules, because companies need to stay on good terms with the regulator, which regularly reviews their financial filings and can “make things difficult,” Henning said. There was no official SEC rule in the 1970s about disclosing bribery overseas, yet the SEC let companies know it would be a good idea to disclose illegal payments, and they obeyed, he said.
Google Chief Executive Officer Larry Page, who disclosed in a January 2010 filing that China-based hackers raided the company’s networks for a source code, agreed to repeat the information in an earnings report when the SEC said in May it would “provide the proper context for your risk factor disclosures.”
SEC Special Counsel Maryse Mills-Apenteng’s letter had asked Google to respond within 10 days to four single-spaced pages of comments on the company’s preliminary proxy statement and annual report. Google, based in Mountain View, California, replied two days later, saying it would disclose the cyber-assault in its next filing.
The company extensively revised its proxy statement in response to SEC comments and agreed to alter its voting procedures as recommended, according to a letter from Google’s outside counsel, Wilson Sonsini Goodrich & Rosati PC, which specializes in securities and intellectual property law.
“We comply with all applicable disclosure rules and regulations,” Jim Prosser, a Google spokesman, said.
Resisting a letter from the SEC can be costly, amounting to $250,000, according to Henning.
“If it’s complex, your lawyers write drafts in response, you have conference calls with them,” he said. “It’s easier to put a line in your 10-Q, if you’re told to disclose something,” referring to the shorthand form name for quarterly earnings reports.
“The SEC knows that’s their power,” he said. “If you want to litigate with them, it costs millions.”
For previous coverage of this issue, see SEC Provides Guidelines for Disclosing Cyber-Attacks.