Top US cybersecurity officials believe corporate hacking is widespread, and the Securities and Exchange Commission (SEC) issued a lengthy "guidance" document on Oct 13 outlining how and when publicly traded companies should report hacking incidents and cybersecurity risk.
But with one full quarter having elapsed since the SEC request, some major companies that are known to have had significant digital security breaches have said nothing about the incidents in their regulatory filings.
Defense contractor Lockheed Martin Corp, for example, said last May that it had fended off a "significant and tenacious" cyber attack on its networks. But Lockheed's most recent 10-Q quarterly filing, like its filing for the period that included the attack, does not even list hacking as a generic risk, let alone state that it has been targeted.
A Reuters review of more than 2,000 filings since the SEC guidance found some companies, including Internet infrastructure company VeriSign Inc and credit card and debit card transaction processor VeriFone Systems Inc, revealed significant new information about hacking incidents.
Yet the vast majority of companies addressing the issue only used new boilerplate language to describe a general risk. Some hacking victims did not even do that.
"It's completely confusing to me why companies aren't reporting cyberrisks" if only to avoid SEC enforcement or private lawsuits, said Jacob Olcott, former counsel for the Senate Commerce committee. The chair of that committee, John D. Rockefeller, urged the SEC to act last year.
Stewart Baker, a corporate attorney and former assistant secretary of the Department of Homeland Security, said the SEC guidance was detailed enough that companies that know they have been hacked will "have to work pretty hard not to disclose something about the scope and risk of the intrusion."
Otherwise, "this is an opportunity for enforcement that practically hands the case to the SEC on a platter," Baker said.
Lockheed spokesman Chris Williams said hacking was covered under the company's most recent annual securities filing, which has as one of many risk factors "security threats, including threats to our information technology infrastructure, attempts to gain access to our proprietary or classified information, threats to physical security of our facilities and employees, and terrorist acts."
No comments:
Post a Comment