The SEC as a force for transparency in cyber espionage events

by Chris Zappone

U.S. Securities and Exchange Commission

This Bloomberg piece teases out the idea that US companies are not fully reporting the cyber espionage against them – or that the cyber espionage is not nearly as bad as the US government contends. Whichever is ultimately true, the level of disclosure from companies doesn’t match what has been discussed recently in the Mandiant report and statements from the US. 

‘‘There is a clear discrepancy between what companies are reporting to their stockholders and what they’re declaring to policy makers,’’ said Sascha Meinrath, vice president of the New America Foundation, a Washington-based policy group.

The discrepancy is understandable because this issue, while clearly going on for some time, is only now becoming public. As a rule companies are hesitant to raise alarms with shareholders and do anything to increase the perception of risk in their operations. But it would be interesting at anyone of these companies to compare the views of their chief risk officers, their executives, and the guys running their day-to-day IT security. I bet the views would vary widely within the same company. And to the government, they might be saying something else entirely, again, from a legalistic perspective.

The Securities and Exchange Commission wants any “material” intrusion to be filed with them.

“The SEC issued guidance in October 2011 telling companies to disclose cyber attacks or risks if that information is material, meaning it would affect an investor’s willingness to buy, hold, or sell the company’s stock. The business may have to describe the financial fallout of an attack if it’s ‘‘reasonably likely’’ to lead to reduced revenue or higher costs, the guidance states.”

But the enforcement of this is unclear, too, and up to the discretion of individual companies.

If a company doesn’t disclose an attack in an SEC filing that was reported in the news media, ‘‘don’t be surprised if we ask you to provide us with a materiality analysis,’’ Jim Lopez, an SEC branch chief for disclosure operations, said.

I imagine in some cases, it wouldn’t be clear what the ultimate damage is. But over time, now that companies have been given the guidance and its a matter of public discussion, a very revealing portrait about who has been compromised may emerge.

‘‘There is a disconnect,’’ Stewart Baker, a former Homeland Security Department official said…. ‘‘All that intellectual property that the government sees leaving the country is coming from somewhere.’’

While the disconnect may continue, the shift in the perception about the problem may begin to narrow the gap between what the government and what businesses are saying.