The 27 largest U.S. companies reporting cyber attacks say they sustained no major financial losses, exposing a disconnect with federal officials who say billions of dollars in corporate secrets are being stolen.
MetLife Inc., Coca-Cola Co., and Honeywell International Inc. were among the 100 largest U.S. companies by revenue to disclose online attacks in recent filings with the Securities and Exchange Commission, according to data compiled by Bloomberg. Citigroup Inc. reported “limited losses” while the others said there was no material impact.
Those mixed messages have triggered a debate over whether Washington is overstating the damage from cyber attacks or whether companies are understating its impact -- or not disclosing the attacks at all. It also raises questions about whether some companies are painting more alarming scenarios for politicians than for their investors.
“There is a clear discrepancy between what companies are reporting to their stockholders and what they’re declaring to policy makers,” said Sascha Meinrath, vice president of the New America Foundation, a Washington-based policy group. The confusion harms the ability of legislators and agency officials to understand cybersecurity, Meinrath said.
Representative Mike Rogers, a Michigan Republican who leads the House Intelligence Committee, has said foreign intruders “are stealing literally billions” of dollars from companies. Army General Keith Alexander, head of U.S. Cyber Command and the National Security Agency, called cybercrime “the greatest transfer of wealth in history.”
After a wave of cyber attacks hit a Federal Reserve website, the New York Times and other news outlets, and U.S. banks, President Barack Obama issued an executive order in February to better protect businesses and critical assets, such as pipelines and power grids.
The challenge for companies is that regulators want more information about cyber attacks yet businesses don’t want to provide hackers with a road map to their networks.
The SEC issued guidance in October 2011 telling companies to disclose cyber attacks or risks if that information is material, meaning it would affect an investor’s willingness to buy, hold, or sell the company’s stock. The business may have to describe the financial fallout of an attack if it’s “reasonably likely” to lead to reduced revenue or higher costs, the guidance states.
Decisions about material impact are made by companies, though SEC staffers may ask how they made those calls. Agency officials say the guidance is working. “We don’t think there is a need for a rule requirement at this time,” James Daly, SEC associate director, said in a phone interview.
More than 70 percent of investors are interested in reviewing company cybersecurity practices, according to a survey of 405 investors released in February by the security firm HBGary Inc.
“For the sake of investors, the SEC needs to figure out a way of enforcing the appropriate disclosure of material cyber attacks,” said Jacob Olcott, who led a congressional review as counsel to Senator Jay Rockefeller, a West Virginia Democrat, that resulted in the SEC guidance.
Olcott is now a principal at Good Harbor Security Risk Management, a Washington-based consulting firm.
Cyber attacks are more likely to be material for some companies than others, Brian Lane, a former SEC corporation finance director, said in an interview. “Ask yourself which company’s stock would plummet if investors learned a hacker had access to company files?” said Lane, a partner at Gibson, Dunn & Crutcher LLP.
Almost all of the top 100 U.S. companies by revenue said they rely on technology that may be vulnerable to security breaches, theft of proprietary data and disrupted operations, according to a review of their most recent annual reports.
“I would bet some are just not being forthcoming,” Lance Hoffman, director of George Washington University’s Cyber Security Policy and Research Institute, said in an interview.
Companies including Amazon.com Inc., Comcast Corp. and Verizon Communications Inc. have been asked by the SEC over the past year to disclose more about cyber attacks than they volunteered in 2011 annual reports.
H. Roger Schwall, SEC assistant director for corporation finance, wrote to ConocoPhillips Chief Financial Officer Jeff Sheets on Sept. 26 asking the company to disclose “actual and attempted breaches” and provide a cyber risk section.
ConocoPhillips, one of at least six major U.S. and European energy companies reported by Bloomberg to have been breached by China-based hackers beginning in 2009, said in its 2012 annual report no cyber breaches “had a material effect.”
Daren Beaudo, a spokesman for ConocoPhillips, declined to comment beyond the filings.
Coca-Cola acknowledged its “information systems are a target of attacks,” in its 10-K and said the disruptions “to date have not had a material effect on our business, financial condition or results of operations.”
The company was told by the FBI that hackers broke into its computers to steal files about its aborted $2.4 billion bid for China Huiyan Juice Group in 2009, Bloomberg reported in November. Coca-Cola didn’t mention the incident in SEC filings.
Coca-Cola doesn’t comment on security matters, said Petro Kacur, a company spokesman.
If a company doesn’t disclose an attack in an SEC filing that was reported in the news media, “don’t be surprised if we ask you to provide us with a materiality analysis,” Jim Lopez, an SEC branch chief for disclosure operations, said at a Washington conference in February.
David Kepler, an executive vice president for Dow Chemical Co., said in prepared testimony for a March 7 Senate hearing the company is “regularly” attacked “from sources that are advanced, persistent and targeting our intellectual property.”
Dow only made passing reference to cyber threats in its annual report Feb. 15, putting the risks on par with severe weather events.
“There is a disconnect,” Stewart Baker, a former Homeland Security Department official and now a Washington-based partner at Steptoe & Johnson LLP, said in an interview. “All that intellectual property that the government sees leaving the country is coming from somewhere.”
Dow’s annual report documents principal risks in keeping with the SEC guidance, Rebecca Bentley, a spokeswoman, said in an e-mail. “Our 10K information is structured to provide the appropriate balance and level of detail regarding Dow’s most significant risk drivers,” she said.
While Verizon said in its 2012 10-K the cyber attacks it experienced haven’t been material, the company said the potential costs of a major assault include “expensive incentives” to keep customers, a jump in security spending, lost revenue and damage to the company’s reputation.
Spokesmen Ed McFadden of Verizon, Mark Costiglio of Citigroup; Victoria Streitfeld of Honeywell International and John Calagna of MetLife declined to comment.
Marty Mosby III, a bank analyst and managing director at Guggenheim Securities LLC, said the SEC disclosures show cyber attacks are no greater threat than hurricanes or natural disasters. Bank management teams say strikes are disruptive to customers without being a financial drain, Mosby said in a phone interview.
Larry Ponemon, chairman of the Ponemon Institute, a data protection research firm in Traverse City, Michigan, has been reviewing the SEC filings. “A majority of companies are taking a minimalist approach and they’re disclosing a bare minimum so they don’t get in trouble,” he said.