As evidenced by Bloomberg Businessweek's recent article entitled "The SEC Says Speak Up About Hack Attacks," tension
has begun to grow between at least six of the Fortune 500 companies and the
Securities and Exchange Commission (SEC) of the United States government over
recent cyber-attacks on the systems of these companies. Charged with protecting investors, the SEC
has employed a “voluntary disclosure plan” through which corporations can
choose to report potential or minor cyber security threats, such as the attack
on Amazon’s Zappos that resulted in the information hacking of 24 million
customers.
At
this point in time, the law of the SEC requires that companies must disclose ‘material’
information, meaning data based on revenue that could affect the decisions made
by investors. The relationship that Amazon has with Zappos did not, at the
company’s discretion, qualify as major enough to report a breach in Zappos security
officially for the sake of investors (though it should be noted that Amazon did
inform its customers of the attack in an unofficial capacity). Why, then, have
Amazon, Google, and four other Fortune 500 companies officially reported
cyber-attacks which could damage their respective images in the eyes of
investors and reveal vulnerabilities to rival businesses?
Simply
put, snail mail has been the method through which the SEC cracks the whip upon
the backs of these major corporations. The
SEC sent “dozens of letters” asking the companies about attacks and later
bullying these companies into disclosing the attacks. The SEC has been able to throw around their
regulatory weight in order to force companies to divulge information that the
law does not require them to divulge. I
repeat, these reports of cyber-attacks are
not required by law. The federal
government has turned their capacity as watch-dog for investors into
school-yard tyranny. Given a choice, no
company would intentionally damage their reputation and risk future revenue
from investors unless the alternative was worse. In this case, it is. Litigation brought about by the SEC can cost
millions of dollars if companies are not on good terms with SEC regulators, and
litigation drains time and resources.
Under the guise of protecting investors, the SEC has begun a power trip
that will not end with a few major companies and is, quite frankly, unfair.
The
information that these companies are being forced to reveal, if it is not
considered materially significant by the company, would (in an ideal world) not
influence investors. These companies are
resisting reporting these minor attacks and potential breaches partly because
the average investor will assume an incident reported is more severe than it
truly is, as law requires only pertinent attacks to be reported. Once the standard by which companies report
attacks becomes murky, investors have no firm knowledge of what constitutes a
relevant attack, and therefore cannot make an informed decision.
The
struggle between big business and those attempting to regulate it has taken a
new and disturbing turn with the SEC using their power to force companies into
reporting information they have no legal obligation to report. Future investors must take these reports with
a grain of salt and remain aware of this struggle to make wise decisions.
Citations:
Bloomberg Businessweek magazine, September 10, 2012- September 16, 2012
U.S. Securities and Exchange Commission official website http://www.sec.gov/index.htm
Dr. J.P. Krahel (definition of "material" revenue)
No comments:
Post a Comment