Cyber Attacks May Be Revealed to Investors as SEC Rules Push Disclosures
By Michael Riley – Jan 10, 2012 9:54 AM ET
China-based hackers rifled the computers of DuPont Co. (DD) at least twice in 2009 and 2010, hunting the technological secrets that made the company one of the world’s most successful chemical makers.
It’s not something investors would have learned from DuPont’s regulatory filings, or from those of other companies victimized by hackers. The 10-K’s DuPont submitted to the U.S. Securities and Exchange Commission over the period don’t identify hacking as even a significant risk, much less reveal what two U.S. intelligence officials later said was a successful case of industrial espionage.
Over the next three months, as publicly traded companies file 10-K’s, investors may see new admissions of corporate networks being hacked after the SEC said companies can’t continue to hold back the details of those incidents.
As cyberspies from China, Russia and other countries ransack the computer networks of one major U.S. and European firm after the next, the SEC in October offered its new interpretation of disclosure requirements as applied to cybercrime. The amount of information that’s forthcoming will depend on whether company lawyers determine the incidents had, or will have, a material effect on the enterprise.
Daniel Turner, a spokesman for Wilmington, Delaware-based DuPont, said, regarding the previously-reported hack, “We let our disclosures speak for themselves.”
Mandiant Corp., an Alexandria, Virginia-based security firm that specializes in cyber-based industrial espionage, has responded to incidents at 22 Fortune 100 companies, said Richard Bejtlich, the firm’s chief security officer. Mandiant estimates that many more than 20 percent of Fortune 500 companies experienced serious breaches recently or are dealing with current ones, Bejtlich said.
When Google Inc. (GOOG) announced in 2010 that China-based hackers had raided its networks, it was a rare example of a U.S. company publicly revealing a cyberburglary aimed at its intellectual property — in this case, its source code.
Google, the world’s largest search-engine firm, said at the time that at least 34 other major companies were victims of the same attack. Only two – Intel Corp. and Adobe Systems Inc. (ADBE) — stepped forward, and they provided few specifics.
The networks of more than 2,000 companies, research universities, Internet service providers and government agencies were hit over the past decade by China-based cyber spies, according to Joel Brenner, U.S. counterintelligence chief until 2009. A November report by 14 U.S. intelligence agencies said Russia and other countries also are involved in such activities.
RIM, Boston Scientific
The companies, including firms such as Research In Motion Ltd. (RIM) and Boston Scientific Corp. (BSX), range from some of the largest corporations to niche innovators in sectors like aerospace, semiconductors, pharmaceuticals and biotechnology, according to intelligence data obtained by Bloomberg News.
“It doesn’t square that billions of dollars in intellectual property is being lost and investors don’t care,” said Jacob Olcott, a former staff expert on cybersecurity for the Senate Commerce Committee. In May, the panel asked SEC Chairman Mary Schapiro to clarify how cyber intrusions should be reported under the so-called material fact rule.
“We’re afraid investors don’t know what they don’t know,” he said.
The guidance, which also says companies can’t use vague, general descriptions of the risks associated with possible future cyber break-ins when describing “risk factors,” raised fears that more detail could create a road map for hackers, said Alexander Tabb, a partner at TABB Group, which advises corporate clients on risk assessment.
“I have to agree with some of the critics who say the guidance is much more useful for the individuals looking to attack a company than it is for investors,” Tabb said.
The victims of even serious attacks, meanwhile, are largely silent, often reporting only breaches that fit narrow legal requirements, such as the theft of credit card numbers or customer information. Many of the headline-grabbing hacks of 2011, including Sony Corp., Citicorp, and Epsilon Data Management LLC, involved such data.
“I have not heard any company in any meeting commenting on this subject or being asked about this subject,” said Fadel Gheit, an oil and gas industry analyst and managing director at Oppenheimer & Co.
Yet the oil and gas industry has been a frequent target of successful cyber-raids — many originating from China, which is on a hunt for global oil reserves.
Beginning in 2009, the networks of at least six major U.S. and European energy companies were breached by China-based hackers. The victims included Exxon Mobil Corp., Royal Dutch Shell Plc, ConocoPhillips and BP Plc.
The hackers stole exploration data and computerized topographical maps, according to several assessments, including one by McAfee Inc., a security division of Intel Corp., which didn’t identify the victims. The attacks provided the cyber- thieves with valuable, confidential assessments of the quality and accessibility of oil reserves, according to Ed Skoudis, senior security consultant with InGuardians Inc., a Washington- based security firm that investigated two of the breaches. He declined to identify his clients or the origin of the hackers.
The oil companies’ financial filings from the period didn’t assess possible losses or mention the attacks, which became public through a report by Bloomberg News.
John Roper, a spokesman for ConocoPhillips, and Alan Jeffers, a spokesman for Exxon Mobil, said their companies don’t comment on security matters. BP and Shell didn’t immediately respond to requests for comment after business hours in Europe.
Whatever the potential effect of those attacks, it would be less than a scenario outlined in December at the World Petroleum Conference in Doha, Qatar.
WPC attendees were warned that hackers, who are launching more carefully planned attacks against the industry, could gain control of computerized release valves that control oil pipelines, resulting in loss of life, uncontainable fires and costly court battles, according to a report of the briefing by the Soufan Group, a New York-based security firm.
Investors scouring the financial filings of major oil companies would have no idea they faced such a risk.
“That is the nightmare scenario,” Gheit said. “It just has gone over our heads” as investors.
Raids on Companies
In the past five years, cyberspies have raided pharmaceutical companies, cosmetics makers, chip fabricators and mining companies. They have stolen blueprints, manufacturing technology and the chemical formulas of market-leading products, according to two intelligence officials, who spoke on the condition their names not be used because of the sensitivity of the subject.
Often, the officials said, the significance of the hacks are difficult for the companies themselves to evaluate, Tabb said.
The costs may depend on factors such as who took the data and whether they have the ability to use it, or transfer it, to replicate competitive products.
Those unknowns may lead compliance attorneys to advise against making incidents public regardless of the new guidance, said Tabb, especially given concerns over reputational loss or a backlash by shareholders angry that the company failed to secure its secrets.
“You will see an increased mention of cybersecurity risk- factor disclosure as a result of the SEC guidance,” said Amy L. Goodman, co-chairman of the securities regulation practice group at Gibson, Dunn & Crutcher LLP. “In terms of disclosure of actual cyberattacks, I think it’s too early to tell.”
An indication of the conservative inclination in reporting cybersecurity matters occurred in March 2011, following an attack against RSA Security Inc., the network security division of EMC Corp.
In that incident, China-based hackers infiltrated RSA’s computer network and stole critical technology related to SecurID, an authentication token used by banks, defense contractors and government agencies to secure their networks.
It was a devastating attack by several measures, including the loss of valuable proprietary technology and damage to the reputation of a company that’s paid for its expertise in protecting its clients from hackers.
In an 8-K filed on March 17, 2011, EMC told investors that the event wouldn’t have a material impact on the company or its financial results.
Kevin Kempskie, a spokesman for RSA, declined to comment on the filing. Olcott said EMC based the decision on the security division’s contribution to total company revenue.
Critics, including the lawmakers who sent the letter to Schapiro in May, said narrow disclosure calculations by companies skirt several SEC requirements, including the necessity to disclose when trade secrets are compromised.
“Companies will think of every single reason not to report these incidents, which is why the investor side of things really needs to take control of these issues,” said Olcott, the former Senate aide.
Investors haven’t done more to press for details and the impact of attacks because “they now look at an investing cycle as maybe a quarter or at most a year,” said Eden Chen, portfolio manager at Los Angeles-based Lightmark Capital. That’s too short a time for stolen technology to make a significant difference in many companies’ fortunes, he said.
“If you are looking at companies for 10 years down the line you would definitely ask those questions,” he said.
To contact the reporter on this story: Michael Riley in Washington at email@example.com
To contact the editor responsible for this story: Michael Hytha at firstname.lastname@example.org.