Despite rules laid out by the Securities and Exchange Commission (SEC), publicly traded companies aren’t disclosing details of major data breaches.
In October of last year, the SEC issued guidelines telling publicly traded companies when they must report details of cyber attacks. The guidelines, which clarified existing rules rather than created new ones, say information about some security attacks and the significant risk of future incidents should be included in companies’ standard disclosure material. Companies should report attacks if they:
- Have a material effect on the organization’s financial condition (if profits are lost, for example)
- Could result in reported financial information no longer being accurate, or
- Require the company to materially increase its security expenditures.
However, a June report from Reuters found that companies aren’t taking those guidelines seriously. According to Shawn Henry, the FBI’s former top cybersecurity officer, the feds are investigating thousands of data breaches, even though only a handful of them have been publicly reported as required by the SEC’s rules.
Companies concealing breaches
In fact, many organizations routinely conceal information about serious data breaches — particularly when they might affect high profile mergers and other deals — according to a recent report from Bloomberg.
One recent example was a cyber attack leveled against Coca-Cola in 2009, right before the beverage giant was about to acquire a Chinese company in a deal that eventually fell through.
In that data breach, hackers used malicious emails to gain access to Coca-Cola’s network for at least a month, stealing emails and other document and installing a keylogger on a top executive’s computer.
Despite the extent of the breach, Coca-Cola never publicly disclosed any information about the cyber attack, although a spokesperson told Bloomberg the company makes disclosures in their public filings when appropriate and required by SEC rules. One issue keeping many data breaches from disclosed seems to be a lack of clarity regarding when attacks have a material effect.
While it’s still not fully clear when disclosures are required, the SEC says that if information about attacks isn’t disclosed, companies could face enforcement actions, lawsuits from shareholders or letters from regulators demanding they improve their disclosures.