The news is full of stories about hackers breaking into corporate computer networks, and federal officials say the attackers are stealing billions of dollars in business secrets. Yet investors would have a hard time finding evidence of any damage. Among the 27 largest U.S. companies reporting cyber attacks—including MetLife, Coca-Cola, and Honeywell International—almost all said there has been no material impact from computer breaches. Citigroup, which reported “limited losses,” was an exception. The companies declined to comment. “I would bet some are just not being forthcoming,” says Lance Hoffman, director of George Washington University’s Cyber Security Policy and Research Institute.
That mixed message has triggered a debate about whether Washington is overstating the damage from cyber attacks or companies are understating their impact—or not disclosing the attacks at all. “There is a clear discrepancy between what companies are reporting to their stockholders and what they’re declaring to policymakers,” says Sascha Meinrath, vice president of the New America Foundation, a policy group. The confusion hampers the ability of legislators and agency officials to understand cybersecurity, Meinrath says.
The challenge for companies is that regulators want more information about cyber attacks, yet businesses don’t want to provide hackers with a road map to their networks. The Securities and Exchange Commission issued guidance in October 2011 telling companies to disclose cyber attacks or risks if that information would affect an investor’s willingness to buy, hold, or sell the company’s stock.
Decisions about what constitutes material impact are made by companies, though SEC staffers may ask how they made those calls. Agency officials say the guidance is working. “We don’t think there is a need for a rule requirement at this time,” says James Daly, an associate director of the SEC. In an April 10 letter, Senate Commerce Committee Chairman Jay Rockefeller (D-W.Va.) asked the SEC to give more authoritative guidance to companies, saying reporting so far is “insufficient.”
David Kepler, an executive vice president for Dow Chemical, said in prepared testimony for a March 7 Senate hearing that the company is “regularly” attacked “from sources that are advanced, persistent, and targeting our intellectual property.” Dow made only passing references to cyber threats in its annual report published on Feb. 15, putting the risks on par with severe weather events.
Some analysts accept the idea that computer attacks aren’t having a big impact. Marty Mosby, a bank analyst and managing director at Guggenheim Partners, says bank management teams have told him that strikes are disruptive to customers without being a financial drain. Others are skeptical. “There is a disconnect,” says Stewart Baker, a former Homeland Security Department official and now a Washington-based partner at law firm Steptoe & Johnson. “All that intellectual property that the government sees leaving the country is coming from somewhere.”