NEW YORK – Securities and Exchange Commission guidelines on when companies should disclose cyber-attacks have become de facto rules for at least six companies, including Google and Amazon.com, agency letters show.
The six companies were asked to break silence and tell investors in future filings that intruders had breached their computer systems, according to the SEC letters. Companies such as Amazon argued that the attacks werent important enough to reveal. Hacking admissions can hurt reputations, give competitors useful information and trigger investor litigation.
Before the requests, Seattle-based Amazon, the largest Internet retailer, hadnt said in its reports that cyber-thieves had raided its Zappos.com unit, stealing addresses and some credit card digits from 24 million customers in January. In April, Amazon was asked by the SEC to disclose the cyber-raid in its next quarterly filing, which it did.
Google, the worlds biggest search engine, agreed in May to put its previously disclosed cyber-assault in an earnings report. American International Group, Hartford Financial Services, Eastman Chemical and Quest Diagnostics were also prodded to improve disclosures of cyber-risks, according to SEC letters available on the regulators website.
Congress, reviewing a bill designed to boost defenses against computer attacks, has been debating ways to encourage companies to disclose such hacking, including a voluntary system for reporting.
The SEC instituted a voluntary disclosure plan in an October advisory. This year, the SEC sent dozens of letters to some companies, asking about cyber-security disclosures and later pushing companies to disclose, spokesman John Nester said.
Its not a rule, but the SEC, by taking a policy position, can effectively create a rule, said Peter Henning, a former SEC lawyer who teaches at Wayne State University in Detroit. It lets companies know what it would like to happen.
Nester declined to say how many companies had been told to disclose in future filings. The SEC disclosure letters arent all public yet.
Cyber-attacks on U.S. computer networks rose 17-fold from 2009 to 2011, according to data cited by Gen. Keith Alexander, head of the National Security Agency and U.S. Cyber Command, at a July conference.
Businesses spend $10 billion a year globally to fight cyber-crime with firewalls, detection systems and software maintenance, while cyber-thieves steal hundreds of millions of dollars from online banking accounts, according to a study by university experts recruited by the British Ministry of Defense, Measuring the Cost of Cybercrime, presented in June.
The SEC doesnt have the authority to order companies to spend money on security controls to try to fend off attackers. It can make them report cyber-risks to investors who buy stocks or make loans. To attract capital, companies might then have to take steps to reduce the risks, Sen. John Rockefeller, D-W.Va., said in a May 2011 letter to SEC Chairman Mary Schapiro.
Rockefeller, chairman of the Senate Commerce Committee, asked the SEC to issue guidance on disclosing cyber-risks and network breaches. It did so five months later, telling companies to acknowledge any breaches or malware in the risk section of their earnings reports.
Companies may have legitimate business reasons for disliking such disclosures, said Michael Perino, a securities law professor at St. Johns University in New York.
If youre constantly having to disclose actual or potential cyber-attacks against the company, that gives information to competitors, to everybody about the vulnerabilities of the company, Perino said.
Theres also the possibility for SEC action and investor lawsuits.
Eric Engleman, Michael Riley and Emily Grannis contributed to this story.