Securities and Exchange Commission (SEC) guidelines on when companies should disclose cyberattacks have become de facto rules for at least six companies, including Google and Amazon.com, agency letters show.
The six companies were asked to break silence and tell investors in future filings that intruders had breached their computer systems, according to the SEC letters. Companies such as Amazon argued that the attacks weren’t important enough to reveal. Hacking admissions can hurt reputations, give competitors useful information and trigger investor litigation.
Before the requests, Seattle-based Amazon, the largest Internet retailer, hadn’t said in its reports that cyberthieves had raided its Zappos.com unit, stealing addresses and some credit-card digits from 24 million customers in January. In April, Amazon was asked by the SEC to disclose the cyber-raid in its next quarterly filing, which it did.
Google, the world’s biggest search engine, agreed in May to put its previously disclosed cyberassault in an earnings report. American International Group, Hartford Financial Services Group, Eastman Chemical and Quest Diagnostics were also prodded to improve disclosures of cyber-risks, according to SEC letters available on the regulator’s website.
Most Read Stories
The SEC instituted a voluntary disclosure plan in an October advisory. This year, the SEC sent dozens of letters to some companies, asking about cybersecurity disclosures and later pushing companies to disclose, spokesman John Nester said.
Nester declined to say how many companies had been told to disclose in future filings. The SEC disclosure letters aren’t all public yet.
Cyberattacks on U.S. computer networks rose 17-fold from 2009 to 2011, according to data cited by General Keith Alexander, head of the National Security Agency and U.S. Cyber Command, at a July conference.
Businesses spend $10 billion a year globally to fight cybercrime with firewalls, detection systems and software maintenance, while cyberthieves steal hundreds of millions of dollars from online banking accounts, according to a study by university experts recruited by the U.K. Ministry of Defense, “Measuring the Cost of Cybercrime,” presented in June.
Under securities law, companies must disclose “material” information, meaning data that might influence investors’ decisions to buy or sell a company’s securities. Even if a cyberattack didn’t affect revenue or profit much, it would illuminate cyber-risks that a business faces, the SEC said in October.
“In future filings please expand this risk factor to disclose that you have experienced cyberattacks and breaches,” SEC Accounting Branch Chief William H. Thompson wrote to Amazon Worldwide Controller Shelley Reynolds on April 18.
Amazon, first sued in March by Zappos customers seeking damages for stolen account information, initially resisted putting the attack in its description of cyber-risks, saying Zappos didn’t contribute material revenue. When the SEC persisted, Amazon said, “We continue to believe that the cyberattack experienced by Zappos is not covered” by the SEC’s guidance on the subject. “However, in light of the staff’s comment, we will revise our disclosure.”
Amazon in July disclosed more than one breach at unnamed subsidiaries, saying, “although they did not have a material adverse effect on our operating results, there can be no assurance of a similar result in the future.”
Craig Berman, an Amazon spokesman, wouldn’t comment on why the company didn’t want to mention the Zappos attack in an SEC filing, given that it had alerted customers to it in January.
The SEC can force disclosure without making rules, because companies need to stay on good terms with the regulator.
“The SEC knows that’s their power,” Henning said. “If you want to litigate with them, it costs millions.”