The likely effects of corporate cyber-attack disclosure

Companies may see more network vulnerability admissions in the coming months as a result of the SEC’s mandated disclosure rules

In October 2011, the Securities and Exchange Commission (SEC) requested for the first time that public companies disclose cyber-attacks against them. Today, Bloomberg reported on the kinds of disclosures companies may soon begin to see as a result of the SEC’s guidance, and the risks that come along with them.

Here’s a summary of the key points:

  • More than 20 percent of Fortune 500 companies are currently experiencing or have recently dealt with serious breaches, according to security firm Mandiant Corp.
  • In the past decade, China-based cyber spies have attacked the networks of more than 2,000 companies, government agencies, research universities and Internet service providers, according to former U.S. counterintelligence chief Joel Brenner
  • Before the SEC’s guidance, companies rarely admitted to such attacks. One exception was Google, which owned up to a cyber-burglary aimed at its source code in 2010.
  • The guidance aims to provide important information to investors, for example, that hackers could gain control of computerized release valves that control oil pipelines, something that could cost many lives should it actually occur
  • Critics, however, say that more detailed reporting of cyber-security risks by public companies could provide too much information to hackers, and actually help them better plan their attacks

In the coming months, as public companies file their annual performance reports, Bloomberg predicts investors can expect to see at least a few new admissions of corporate networks being hacked.

Join the Conversation

Advertisement. Closing in 15 seconds.