Cyber Attack? What Cyber Attack?

Companies aren’t disclosing much impact from computer crime | “I would bet some are just not being forthcoming”

Chris Strohm, Eric Engleman, and Dave Michaels

ILLUSTRATION BY TANE WILLIAMS

The news is full of stories about hackers breaking into corporate computer networks, and federal officials say the attackers are stealing billions of dollars in business secrets. Yet investors would have a hard time finding evidence of any damage. Among the 27 largest U.S. companies reporting cyber attacks — including MetLife, Coca-Cola, and Honeywell International — almost all said there has been no material impact from computer breaches. Citigroup, which reported “limited losses,” was an exception. The companies declined to comment. “I would bet some are just not being forthcoming,” says Lance Hoffman, director of George Washington University’s Cyber Security Policy and Research Institute.

That mixed message has triggered a debate about whether Washington is overstating the damage from cyber attacks or companies are understating their impact — or not disclosing the attacks at all. “There is a clear discrepancy between what companies are reporting to their stockholders and what they’re declaring to policy-makers,” says Sascha Meinrath, vice president of the New America Foundation, a policy group. The confusion hampers the ability of legislators and agency officials to understand cyber-security, Meinrath says.

The challenge for companies is that regulators want more information about cyber attacks, yet businesses don’t want to provide hackers with a road map to their networks. The Securities and Exchange Commission issued guidance in October 2011 telling companies to disclose cyber attacks or risks if that information would affect an investor’s willingness to buy, hold, or sell the company’s stock.

Decisions about what constitutes material impact are made by companies, though SEC staffers may ask how they made those calls. Agency officials say the guidance is working. “We don’t think there is a need for a rule requirement at this time,” says James Daly, an associate director of the SEC. In an April 10 letter, Senate Commerce Committee Chairman Jay Rockefeller (D-W.Va.) asked the SEC to give more authoritative guidance to companies, saying reporting so far is “insufficient.”

David Kepler, an executive vice president for Dow Chemical, said in prepared testimony for a March 7 Senate hearing that the company is “regularly” attacked “from sources that are advanced, persistent, and targeting our intellectual property.” Dow made only passing references to cyber threats in its annual report published on Feb. 15, putting the risks on par with severe weather events.

Some analysts accept the idea that computer attacks aren’t having a big impact. Marty Mosby, a bank analyst and managing director at Guggenheim Partners, says bank management teams have told him that strikes are disruptive to customers without being a financial drain. Others are skeptical. “There is a disconnect,” says Stewart Baker, a former Homeland Security Department official and now a Washington-based partner at law firm Steptoe & Johnson. “All that intellectual property that the government sees leaving the country is coming from somewhere.”

The bottom line Among the 27 largest U.S. companies reporting cyber attacks, only Citigroup reported any material impact, and it was “limited.”

Welcome!

Magazines Review offers you a broad range of popular American magazines online. Browse an extensive directory of magazines, covering most important aspects of your life. Find the most recent issues of your favourite magazine, or check out the oldest ones.

About content

All the articles are taken from the official magazine websites and other open web resources.

Please send your complains and suggestions through our feedback form. Thank you.