The Disclosure Debate: When Should Companies Reveal Cyber Attacks?
When companies suffer a serious cyber attack that leads to the loss of intellectual property or does damage to valuable infrastructure, they are left with a vexing question: Do we disclose it?
This crucial decision often sparks a series of ripple effects, impacting everything from the company’s share price and customer relationships to its precious reputation. A well-thought-out, honest response can be praised, while a fumbled one may be tough to recover from.
Concerns about companies’ cyber-security disclosure policies have mounted amid new reports suggesting recent high-profile attacks have been more damaging than the public was initially led to believe. There is a consensus that companies have been both slow to discover attacks and reluctant to open up about them.
“We have seen companies that have been attacked and individuals in those companies get very scared and sometimes have shown reluctance to take all the actions they should take,” said Tom Gann, vice president of government relations at McAfee. “Some organizations have been attacked and have done less than they should while in other cases we’ve seen companies do more than they” need to.
Regulators and those in cyber-security and corporate governance circles believe the onus should be on management to disclose to shareholders and other stakeholders cyber attacks that do material harm.
However, due to the growing nature of the threat, it’s still a murky area in corporate governance. Aside from its usual mandate to disclose material developments, the Securities and Exchange Commission is only now beginning to give public companies specific guidance on how to proceed in the event of an intrusion.
“Companies definitely have a duty to disclose to stockholders any material damage to intellectual property or infrastructure or any reasonably foreseeable potential vulnerabilities that could have a material impact on the business or operations,” Jim Rickards, senior managing director at Tangent Capital in New York, said in an email.
Hackers Infiltrate Corporate America
Cyber attacks have received increased attention in recent years amid high-profile attacks on Fortune 500 companies and against sensitive U.S. government officials and agencies. Attacks can consist of anything from penetrating firewalls in an effort to download sensitive information like patents or top secret M&A plans to denial of service attacks aimed at bringing down entire web sites.
The perpetrators often come from Russia, Eastern Europe and China, but can include domestic hackers and even corporate rivals. According to a recent McAfee report, one single attacker penetrated over 70 organizations representing more than 30 industries around the world over a five-year period in an attack dubbed “Operation Shady RAT.” The adversary stole intellectual property that included government secrets, email archives, legal contracts and design blueprints.
The hardest hit areas tend to exist in four high-risk sectors: high tech, defense, banking and energy.
“If you’re in one of those categories, you’ve already been breached. If you have one incident you have discovered, there are probably others you haven’t discovered,” said Jeffrey Carr, a regular consultant to U.S. government agencies on cyber security and CEO of Taia Global.
Attacks in these sectors have reportedly been conducted against a crush of companies in recent years, including Adobe Systems (NASDAQ:ADBE), Intel (NASDAQ:INTC), Sony (NYSE:SNE), BP (NYSE:BP), ExxonMobil (NYSE:XOM), ConocoPhilips (NYSE:COP), General Electric (NYSE:GE) and Northrop Grumman (NYSE:NOC).
“Companies have had a wakeup call with the well-known large-scale attacks on banks, defense contractors and government agencies,” Rickards wrote. “Today the burden is on companies to keep aware of the changes, invest heavily in improved security and generally increase the level of disclosure.”
Damage Control
Several more recent high-profile attacks appear to have been more severe than previously known. For example, last week Reuters reported hackers who broke into Nasdaq OMX Group (NASDAQ:NDAQ) in 2010 breached a system used by directors of public companies to share confidential information. Nasdaq, which previously said there was no sign hackers accessed customer information, didn’t respond to a request for comment.
Likewise, Google (NASDAQ:GOOG) disclosed a cyber attack last year, dubbed Operation Aurora, but the statement and subsequent media coverage focused almost entirely on the attack’s efforts to hack into the email accounts of Chinese cyber-rights activists.
It was later learned that hackers had stolen something much more valuable to Google – source code for Gaia, a password management program – and tried to steal its signing certificates, according to Vanity Fair. The initial statement’s only allusion to this more damaging aspect was by saying the attack targeted “our corporate infrastructure” and “resulted in the theft of intellectual property from Google.”
RSA, the security division of EMC (NYSE:EMC), has been criticized by some for its disclosure in March of an attack on its SecurID system, which has about 40 million users of its tokens and 250 million users of its software. Security analysts have said it’s likely the hack eventually led to a major breach on defense contractors Northrop, L-3 Communications(NYSE:LLL) and Lockheed Martin (NYSE:LMT), which in May described its attack as “significant and tenacious.”
“From top to bottom they screwed up in terms of their disclosure,” Carr said of RSA. He said executives were “so tricky with their wording that it was leading customers to believe one thing when the opposite was true.”
However, RSA’s disclosure practice was likely hampered by its being a security company and having a myriad of different customers with varying security needs
“We immediately developed and published best practices and remediation steps, and proactively reached out to thousands of customers across the public and private sectors to help them implement those steps,” an RSA spokesperson said.
Fallout From Attack
Sometimes companies’ reluctance to fully disclose the extent of cyber attacks is due to a belief it may hurt its stock price or cause a kneejerk loss of customers.
“You’re not going to want to sacrifice anything like reputation to meet short-term results,” said Ralph Walkling, a corporate governance professor at Drexel University in Philadelphia.
Disclosure practices are likely to change radically in the coming months in the wake of the new SEC guidance, which was released earlier this month. While not a set of rules or regulations, the guidance calls on public companies to disclose significant incidents of cyber attacks or theft. The guidelines also go a step further, urging public companies to tell shareholders even when they believe they’re at a risk of a cyber crime.
Even though there isn’t an SEC disclosure requirement on public companies, material information on cyber security risks and cyber incidents is already required to be disclosed. Various industries, such as the chemicals sector, also already have other regulatory oversight on cyber security, Gann of McAfee said. Existing law in many states also requires companies to tell consumers when their personal information may have been exposed.
“The SEC rule, if anything, will tend to put more of a level playing field in place. This will generally raise the bar across the board,” said Gann. “Our sense is that this will have the practical effect of being a rule, given the power of the SEC.”
Cyber experts said companies need to accelerate ongoing efforts in some sectors to share with peers, who are often their rivals, the kind of malware involved in attacks and successful efforts to thwart them.
“It’s a vital practice,” said Gann.
Too Much Regulation?
Some believe the government has dragged its feet in this area.
“This is 17 years since the invention of the World Wide Web and we’re just now starting to even provide some guidance,” said Carr.
Others are leery about regulators adding a new layer of rules on corporate America, which already complains of overregulation.
“I’m really reluctant to suggest new regulation. That’s always the knee-jerk reaction and it’s not always the right one,” said Walkling.
Gann said McAfee “tends to believe positive incentives” such as tax credits and liability reform “will do the most to change behavior.” He called the SEC approach the “middle ground” between truly positive incentive and measures that may be too harsh, such as empowering the Department of Homeland Security to regulate and audit firms.
Mass disclosures shouldn’t be mandated before properly educating the public about the threat and the fact that many attacks are going on each day, Carr said.
“It’s a complicated scenario because if a company just makes a full disclosure, their stockholders and board members could easily overreact to that,” said Carr.