The 27 largest U.S. companies reporting cyber attacks say theysustained no major financial losses, exposing a disconnect withfederal officials who say billions of dollars in corporate secretsare being stolen.

MetLife Inc., Coca-Cola Co., and Honeywell International Inc.were among the 100 largest U.S. companies by revenue to discloseonline attacks in recent filings with the Securities and ExchangeCommission, according to data compiled by Bloomberg. Citigroup Inc.reported “limited losses” while the others said there was nomaterial impact.

Those mixed messages have triggered a debate over whetherWashington is overstating the damage from cyber attacks or whethercompanies are understating its impact — or not disclosing theattacks at all. It also raises questions about whether somecompanies are painting more alarming scenarios for politicians thanfor their investors.

“There is a clear discrepancy between what companies arereporting to their stockholders and what they're declaring topolicy makers,” said Sascha Meinrath, vice president of the NewAmerica Foundation, a Washington-based policy group. The confusionharms the ability of legislators and agency officials to understandcybersecurity, Meinrath said.

Representative Mike Rogers, a Michigan Republican who leads theHouse Intelligence Committee, has said foreign intruders “arestealing literally billions” of dollars from companies. ArmyGeneral Keith Alexander, head of U.S. Cyber Command and theNational Security Agency, called cybercrime “the greatest transferof wealth in history.”

After a wave of cyber attacks hit a Federal Reserve website, theNew York Times and other news outlets, and U.S. banks, PresidentBarack Obama issued an executive order in February to betterprotect businesses and critical assets, such as pipelines and powergrids.

The challenge for companies is that regulators want moreinformation about cyber attacks yet businesses don't want toprovide hackers with a road map to their networks.

The SEC issued guidance in October 2011 telling companies todisclose cyber attacks or risks if that information is material,meaning it would affect an investor's willingness to buy, hold, orsell the company's stock. The business may have to describe thefinancial fallout of an attack if it's “reasonably likely” to leadto reduced revenue or higher costs, the guidance states.

'Appropriate Disclosure'

Decisions about material impact are made by companies, thoughSEC staffers may ask how they made those calls. Agency officialssay the guidance is working. “We don't think there is a need for arule requirement at this time,” James Daly, SEC associate director,said in a phone interview.

More than 70 percent of investors are interested in reviewingcompany cybersecurity practices, according to a survey of 405investors released in February by the security firm HBGary Inc.

“For the sake of investors, the SEC needs to figure out a way ofenforcing the appropriate disclosure of material cyber attacks,”said Jacob Olcott, who led a congressional review as counsel toSenator Jay Rockefeller, a West Virginia Democrat, that resulted inthe SEC guidance.

Olcott is now a principal at Good Harbor Security RiskManagement, a Washington-based consulting firm.

Cyber attacks are more likely to be material for some companiesthan others, Brian Lane, a former SEC corporation finance director,said in an interview. “Ask yourself which company's stock wouldplummet if investors learned a hacker had access to company files?”said Lane, a partner at Gibson, Dunn & Crutcher LLP.

Almost all of the top 100 U.S. companies by revenue said theyrely on technology that may be vulnerable to security breaches,theft of proprietary data and disrupted operations, according to areview of their most recent annual reports.

“I would bet some are just not being forthcoming,” LanceHoffman, director of George Washington University's Cyber SecurityPolicy and Research Institute, said in an interview.

Companies including Amazon.com Inc., Comcast Corp. and VerizonCommunications Inc. have been asked by the SEC over the past yearto disclose more about cyber attacks than they volunteered in 2011annual reports.

H. Roger Schwall, SEC assistant director for corporationfinance, wrote to ConocoPhillips Chief Financial Officer JeffSheets on Sept. 26 asking the company to disclose “actual andattempted breaches” and provide a cyber risk section.

Attack Targets

ConocoPhillips, one of at least six major U.S. and Europeanenergy companies reported by Bloomberg to have been breached byChina-based hackers beginning in 2009, said in its 2012 annualreport no cyber breaches “had a material effect.”

Daren Beaudo, a spokesman for ConocoPhillips, declined tocomment beyond the filings.

Coca-Cola acknowledged its “information systems are a target ofattacks,” in its 10-K and said the disruptions “to date have nothad a material effect on our business, financial condition orresults of operations.”

The company was told by the FBI that hackers broke into itscomputers to steal files about its aborted $2.4 billion bid forChina Huiyan Juice Group in 2009, Bloomberg reported in November.Coca-Cola didn't mention the incident in SEC filings.

Coca-Cola doesn't comment on security matters, said Petro Kacur,a company spokesman.

If a company doesn't disclose an attack in an SEC filing thatwas reported in the news media, “don't be surprised if we ask youto provide us with a materiality analysis,” Jim Lopez, an SECbranch chief for disclosure operations, said at a Washingtonconference in February.

David Kepler, an executive vice president for Dow Chemical Co.,said in prepared testimony for a March 7 Senate hearing the companyis “regularly” attacked “from sources that are advanced, persistentand targeting our intellectual property.”

Dow only made passing reference to cyber threats in its annualreport Feb. 15, putting the risks on par with severe weatherevents.

“There is a disconnect,” Stewart Baker, a former HomelandSecurity Department official and now a Washington-based partner atSteptoe & Johnson LLP, said in an interview. “All thatintellectual property that the government sees leaving the countryis coming from somewhere.”

Dow's annual report documents principal risks in keeping withthe SEC guidance, Rebecca Bentley, a spokeswoman, said in ane-mail. “Our 10K information is structured to provide theappropriate balance and level of detail regarding Dow's mostsignificant risk drivers,” she said.

While Verizon said in its 2012 10-K the cyber attacks itexperienced haven't been material, the company said the potentialcosts of a major assault include “expensive incentives” to keepcustomers, a jump in security spending, lost revenue and damage tothe company's reputation.

Spokesmen Ed McFadden of Verizon, Mark Costiglio of Citigroup;Victoria Streitfeld of Honeywell International and John Calagna ofMetLife declined to comment.

Marty Mosby III, a bank analyst and managing director atGuggenheim Securities LLC, said the SEC disclosures show cyberattacks are no greater threat than hurricanes or natural disasters.Bank management teams say strikes are disruptive to customerswithout being a financial drain, Mosby said in a phoneinterview.

Larry Ponemon, chairman of the Ponemon Institute, a dataprotection research firm in Traverse City, Michigan, has beenreviewing the SEC filings. “A majority of companies are taking aminimalist approach and they're disclosing a bare minimum so theydon't get in trouble,” he said.

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.