U.S. antitrust officials won’t pursue claims against companies for sharing information about cyberthreats, removing a potential obstacle to defending against attacks.
Information-sharing about cyberthreats can be done lawfully as long as companies aren’t discussing competitive information such as pricing, the Justice Department and Federal Trade Commission said in a joint statement today.
“This is an antitrust no-brainer,” Bill Baer, the head of the Justice Department’s antitrust division, said. “Companies who engage in properly designed cyberthreat information sharing will not run afoul of the antitrust laws.”
The proportion of companies reporting losses of $10 million or more as a result of cybersecurity incidents has risen 51 percent since 2011, according to a survey last year of 9,600 executives in 115 countries by PricewaterhouseCoopers LLP. About 7 percent of respondents said they had suffered such losses.
“Companies have told us that concerns about antitrust liability has been a barrier to being able to openly share cyberthreat information,” said Deputy Attorney General James Cole. “Antitrust concerns should not get in the way of sharing cybersecurity information.”
The U.S. Securities and Exchange Commission is reviewing how companies disclose cyberthreats to investors in public filings. Businesses including Target Corp., from which hackers stole payment-card data for millions of shoppers in December, are required to disclose such threats when the information would affect an investor’s willingness to own the company’s shares.
Companies aren’t required by the SEC to disclose all cyber-attacks, though the regulator routinely reviews how incidents are described in annual reports. Some lawmakers, including Senator Jay Rockefeller, a West Virginia Democrat, have asked the agency to consider making the disclosures mandatory.