Securities and Exchange Commission guidelines on when companies should disclose cyber-attacks have become de facto rules for at least six companies, including Google Inc. and Amazon.com Inc., agency letters show.
The six companies were asked to break silence and tell investors in future filings that intruders had breached their computer systems, according to the SEC letters. Companies such as Amazon argued that the attacks weren’t important enough to reveal. Hacking admissions can hurt reputations, give competitors useful information and trigger investor litigation.
The SEC doesn’t have the authority to order companies to spend money on security controls to try to fend off attackers. It can make them report cyber-risks to investors who buy stocks or make loans. To attract capital, companies might then have to take steps to reduce the risks, Democratic U.S. Senator John D. Rockefeller IV, said in a May 2011 letter to SEC Chairman Mary Schapiro.
“Courts might decide you’re complying with widely accepted standards,” he said. “Courts are otherwise more likely to find you acted unreasonably.”
Insurer Hartford also told the SEC it hadn’t had a “material” cyber-breach and was told to disclose any attack it had. AIG agreed to say in its next quarterly report: “Like other global companies, we have, from time to time, experienced threats to our data and systems, including malware and computer virus attacks, unauthorized access, systems failures and disruptions.”