Cybersecurity

The SEC Says Speak Up About Hack Attacks

Amazon, Google, and others are told to report security breaches

Provide news feedback or report an error

Confidential tip?

Send a tip to our reporters

Site feedback:

Take our Survey

By Linda Sandler

September 7, 2012 at 8:36 PM UTC

This article is for subscribers only.

BusinessWeek Cover Image (12_37, 1496x2048)

This article is part of the September 10, 2012 issue of businessweek.

It’s getting tougher for some companies to keep quiet about cyberattacks. Securities and Exchange Commission guidelines on when cyberattacks should be disclosed have become de facto rules for at least six companies, including Google and Amazon.com, agency letters show. The six were asked to tell investors in future filings that intruders had breached their computer systems, according to the SEC letters sent in March, April, and May. Hacking admissions can hurt reputations, give competitors useful information, and trigger investor litigation.

In January, cyberthieves raided Amazon’s Zappos.com unit, stealing addresses and some credit-card digits from 24 million customers. Amazon initially resisted mentioning the attack in its regulatory filings, even though it had told customers about it, saying Zappos didn’t contribute material revenue to the company. When the SEC persisted, Amazon replied that “we continue to believe that the cyberattack experienced by Zappos is not covered” by the SEC’s guidance on the subject. “However, in light of the staff’s comment, we will revise our disclosure.” Craig Berman, an Amazon spokesman, declined to comment.